PUP.Win32.YahooCompanion_f8fb0fcda4

by malwarelabrobot on March 13th, 2015 in Malware Descriptions.

mzpefinder_pcap_file.YR, PUPYahooCompanion.YR, SearchProtectToolbar.YR, PUPAirInstaller.YR (Lavasoft MAS)
Behaviour: Installer, PUP


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: f8fb0fcda4216e9055982f114b21db37
SHA1: 91511545574b05b05cda3b82b0fd8deca6ec1a69
SHA256: d23cdf9750b8f6b02d3ae2ab51771c130ff6978be42a2dc0a7b19d3127e91fa6
SSDeep: 49152:HvlwvmA2vDTXj5lppfNH5DlhsZCTuBJLPd:HvQmAy5lDnsZdPd
Size: 2152448 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: SafeInstall, LLC
Created at: 2015-02-09 19:29:11
Analyzed on: WindowsXP SP3 32-bit


Summary:

PUP. Potentially Unwanted Program. An application that does not display malicious behavior yet is installed without having first sought affirmative user consent for installation. Users may not realize, due to the nature of the installation procedure, that an application they have not explicitly agreed to has been installed. This category can also be used to classify other applications which in a certain context can be wanted e.g. remote administration tools or IRC clients.

Payload

No specific payload has been found.

Process activity

The PUP creates the following process(es):
No processes have been created.
The PUP injects its code into the following process(es):

%original file name%.exe:348

Mutexes

The following mutexes were created/opened:

c:!documents and settings!adm!local settings!history!history.ie5!mshist012015031220150313!
_!SHMSFTHISTORY!_
__DDrawCheckExclMode__
DDrawWindowListMutex
__DDrawExclMode__
DDrawDriverObjectListMutex
CTF.TMD.MutexDefaultS-1-5-21-1844237615-1960408961-1801674531-1003
CTF.Layouts.MutexDefaultS-1-5-21-1844237615-1960408961-1801674531-1003
CTF.Asm.MutexDefaultS-1-5-21-1844237615-1960408961-1801674531-1003
CTF.Compart.MutexDefaultS-1-5-21-1844237615-1960408961-1801674531-1003
CTF.LBES.MutexDefaultS-1-5-21-1844237615-1960408961-1801674531-1003
VdiMsiLock
InstallIQUninstallOptionLock
InstallIQFirefoxLock
RasPbFile
WininetProxyRegistryMutex
WininetConnectionMutex
WininetStartupMutex
c:!documents and settings!adm!local settings!history!history.ie5!
c:!documents and settings!adm!cookies!
c:!documents and settings!adm!local settings!temporary internet files!content.ie5!
_!MSFTHISTORY!_
ShimCacheMutex
QuickStartApp
W3i_CoreBrowserShutdown
W3iFFPrefslock
DialogCloseProcessLock
CPackageZlib::CPackageZlib
W3iCoreLogger
ZonesLockedCacheCounterMutex
ZonesCacheCounterMutex
ZonesCounterMutex

File activity

The process %original file name%.exe:348 makes changes in the file system.
The PUP creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\zx_161aa2bb0\dialogs\library\js\yahoo.js (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\zx_161aa2bb0\ECBFC9AB-A637-4487-9A66-817881951C55.zip (904 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\zx_161aa2bb0\E92D7B47-33AD-4469-81D4-CB551DE8DDA8.zip (889 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\zx_161aa2bb0\1D677809-65E4-4CBA-B3B2-1705755F5F07.zip (434 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\zx_161aa2bb0\session.response.json (676 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\zx_161aa2bb0\BF68CAAA-24EB-4A90-94B1-A68D8718116D.zip (731 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\zx_161aa2bb0\D21384DD-7E7F-4D84-9C43-6D82036FA24F.zip (9352 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\zx_161aa2bb0\dialogs\library\images\container-separator.png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\zx_161aa2bb0\226383C9-5E0D-4ABD-8308-30F31DD040A6.zip (666 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\zx_161aa2bb0\dialogs\fulldiskfighter.vi.json (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\zx_161aa2bb0\4594AF2F-4D07-4B39-B15B-443A87882878.zip (732 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\zx_161aa2bb0\C4B20519-3B35-4A1C-BB5C-695D80D9C28D.zip (926 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\zx_161aa2bb0\dialogs\library\images\checkbox.png (650 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\zx_161aa2bb0\5C22ACAC-4D3A-4D89-9980-81FBB493E7B8.zip (888 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\zx_161aa2bb0\dialogs\library\js\screenmanager.js (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\zx_161aa2bb0\E9E56BE3-7EC7-450B-9C2E-BA9B0BCD6B05.zip (817 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\zx_161aa2bb0\dialogs\pcoptimizerpro_offer.vi.json (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\zx_161aa2bb0\099AEF6E-E690-4A5C-85F8-481343649504.zip (809 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\zx_161aa2bb0\dialogs\library\js\testsuitemanager.js (392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\zx_161aa2bb0\dialogs\library\js\noyahoo.js (323 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\zx_161aa2bb0\dialogs\library\js\knockout-2.2.1.js (2696 bytes)
%System%\wbem\Logs\wbemprox.log (225 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\zx_161aa2bb0\dialogs\library\js\lodash.custom.min.js (1928 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\zx_161aa2bb0\66DFABC3-9023-45A3-A5DE-FA8CAAEF0AAC.zip (856 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\zx_161aa2bb0\AF33782B-57D0-466B-831D-0CE47455F809.zip (892 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\zx_161aa2bb0\2704D408-C40A-4848-BC30-B5478423E8C9.zip (821 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\zx_161aa2bb0\dialogs\library\js\script.js (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\zx_161aa2bb0\dialogs\library\images\btn.png (392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\zx_161aa2bb0\dialogs\library\images\filewhiz_tn.png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\zx_161aa2bb0\dialogs\library\images\btn-win-cancel.png (776 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\zx_161aa2bb0\dialogs\petite_oo_v5.vi.json (74 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\zx_161aa2bb0\dialogs\library\images\bg_disc_wrap.gif (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\zx_161aa2bb0\B2B00637-BC0D-48D8-B686-9F13DA5E04A1.zip (822 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4RSNKIEU\ENG.SCC.config[1].txt (740 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\zx_161aa2bb0\dialogs\library\images\step-contents-stepped.png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\zx_161aa2bb0\80A3CCD4-64BC-4AF8-853B-ABA075AE5218.zip (866 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\zx_161aa2bb0\dialogs\library\images\step-contents.png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\zx_161aa2bb0\F80287B7-718C-4676-AC71-3F1AB04A60E1.zip (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\zx_161aa2bb0\dialogs\smartdriverupdater.vi.json (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\zx_161aa2bb0\B88FF7FD-BE0E-44BC-97BC-D6943F9F8A86.zip (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\zx_161aa2bb0\2E076E93-E171-4F73-A0D5-5BFDDE0E4783.zip (792 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\zx_161aa2bb0\dialogs\library\js\kmsxSuite.js (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\zx_161aa2bb0\f8fb0fcda4216e9055982f114b21db37.log (1052387 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\zx_161aa2bb0\theanswerfinder.vi.zip (838 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SymCCIS2.zip (162 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\zx_161aa2bb0\dialogs\library\images\bg-installprogress.png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\zx_161aa2bb0\4FFA1EE1-2AD7-40C8-9643-B801D9DED1A0.zip (804 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\zx_161aa2bb0\B7F6A91D-8542-4B59-A285-EF08E6922F28.zip (883 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\zx_161aa2bb0\3927F92B-2CF0-4555-8A62-C42865E873C2.zip (936 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\zx_161aa2bb0\AD04DC3C-8B12-4879-83E3-523DF600D9DE.zip (968 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\zx_161aa2bb0\dialogs\library\images\installprogress.png (998 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\zx_161aa2bb0\dialogs\mediaplayervb.vi.json (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\zx_161aa2bb0\404D0823-2D00-44F7-AC98-92F79F87E4F2.zip (778 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SCC.dll (168 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\zx_161aa2bb0\224505F1-4910-4879-A9AD-B70D1AE1A120.zip (904 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\zx_161aa2bb0\42FDD0AA-EAD7-45DD-8421-47492FCFF9DB.zip (941 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\zx_161aa2bb0\dialogs\petite_oo_v5.vi.html (776 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\zx_161aa2bb0\dialogs\driverscanner.vi.json (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\zx_161aa2bb0\dialogs\view.petite_oo_v5.vi.json (9 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\zx_161aa2bb0\7E447291-0A05-4EB1-98E9-49ECF3C139D1.zip (834 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\zx_161aa2bb0\dialogs\library\images\minmax.png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\zx_161aa2bb0\dialogs\driverfighter.vi.json (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\zx_161aa2bb0\mediaplayer_12478.txt (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\zx_161aa2bb0\8C58D003-E863-4399-A7CF-A32275393FD1.zip (412 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\zx_161aa2bb0\dialogs\library\js\offerparser.js (392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\zx_161aa2bb0\dialogs\library\js\config.js (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\zx_161aa2bb0\BB13E620-1EBA-47D8-A623-39986DE12F1F.zip (790 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\zx_161aa2bb0\dialogs\library\css\style.css (392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\zx_161aa2bb0\dialogs\spyhunter.vi.json (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\zx_161aa2bb0\F5C1E3BE-C571-4295-82AB-9C78A7DFD0BA.zip (823 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\zx_161aa2bb0\55997C50-1F00-4D74-BAEF-46A658272B17.zip (971 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\zx_161aa2bb0\B7109C6A-73CA-4979-B038-5AE45CBE649F.zip (811 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\zx_161aa2bb0\dialogs\library\images\custom-check.png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\zx_161aa2bb0\9332870F-9082-4684-AFF2-8C852FCEE8D7.zip (747 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\zx_161aa2bb0\dialogs\kaspersky.vi.json (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\zx_161aa2bb0\441493C8-0E32-4504-B8CC-7851FFF110EC.zip (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\zx_161aa2bb0\dialogs\library\js\common.js (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\zx_161aa2bb0\dialogs\library\js\saferbrowser.js (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\zx_161aa2bb0\dialogs\mediaplayervb\tn_videobuzz.png (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\zx_161aa2bb0\7BAB633E-6C2D-45CC-BFE3-A79142FDABBF.zip (507 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\zx_161aa2bb0\F3DA0320-7EB0-4648-BE62-3B08958C9B3E.zip (920 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\zx_161aa2bb0\dialogs\nortonsecurityscan.vi.json (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\zx_161aa2bb0\dialogs\library\js\clickmanager.js (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\AXJ7IPU1\SCC[1].dll (22789 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\zx_161aa2bb0\dialogs\winferno.vi.json (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\zx_161aa2bb0\7D03F38F-AF42-4EAB-837C-E8B4B2D9B644.zip (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\zx_161aa2bb0\1E00B2CE-84B4-4764-A567-81130045EEE4.zip (739 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\zx_161aa2bb0\0393A455-8396-4E79-8339-7DAEDC83567B.zip (801 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\zx_161aa2bb0\dialogs\library\js\jquery.min.js (6984 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\zx_161aa2bb0\00EB7EC2-4B2C-4603-9043-79A1C36414EE.zip (422 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\zx_161aa2bb0\stub.xml (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\zx_161aa2bb0\dialogs\library\js\json2.js (776 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\zx_161aa2bb0\73EB1E3A-0BE4-4F19-8F38-6B2B93DB1927.zip (939 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\zx_161aa2bb0\DF86C614-36F8-4BE3-A1A0-78E774802EE7.zip (928 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\zx_161aa2bb0\dialogs\library\images\close.png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\zx_161aa2bb0\dialogs\library\js\screenconfig.js (240 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\zx_161aa2bb0\dialogs\library\js\screenfactory.js (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\zx_161aa2bb0\225E5BB2-B83F-478E-B774-62F53C2BCAD7.zip (858 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\zx_161aa2bb0\13D66679-5DC0-48AA-BB42-E7BD34CEBAE2.zip (889 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\zx_161aa2bb0\dialogs\library\images\title-bar.png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\zx_161aa2bb0\dialogs\library\js\screen.js (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\zx_161aa2bb0\dialogs\library\images\product-icon.png (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\zx_161aa2bb0\AFB3988D-640F-43BB-8422-D40ED6AA32BE.zip (820 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\zx_161aa2bb0\dialogs\pcmechanic.vi.json (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SymCCIS.dll (11704 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SCC.config (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\zx_161aa2bb0\dialogs\library\images\btn-win.png (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\zx_161aa2bb0\dialogs\library\js\utils.js (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\zx_161aa2bb0\dialogs\library\js\.DS_Store (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\zx_161aa2bb0\8BF6320F-C08A-446A-80A8-FBCCDBA35CB7.zip (804 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SCCLog.txt (169952 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\zx_161aa2bb0\config.xml (17904 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SymCCISDll.txt (41444 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\zx_161aa2bb0\dialogs\library\js\responsemanager.js (392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\zx_161aa2bb0\F3823C96-34C1-478F-BA9E-3F84F3D6094F.zip (787 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\zx_161aa2bb0\dialogs\slowpcfighter.vi.json (1 bytes)

The PUP deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\SCC.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SCC.config (0 bytes)

Registry activity

The process %original file name%.exe:348 makes changes in the system registry.
The PUP creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012015031220150313]
"CachePath" = "%USERPROFILE%\Local Settings\History\History.IE5\MSHist012015031220150313\"
"CacheLimit" = "8192"

"CacheOptions" = "11"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"@xpsp3res.dll,-20001" = "Diagnose Connection Problems..."

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012015031220150313]
"CacheRepair" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012015031220150313]
"CachePrefix" = ":2015031220150313:"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"Name" = "%original file name%.exe"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\InstallIQ]
"test" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1A 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"ID" = "1423502951"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "60 8F 32 1D B8 0C C2 D9 2D 60 CD 92 AB 5E 56 8D"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

The PUP modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The PUP modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The PUP modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The PUP deletes the following registry key(s):

[HKLM\SOFTWARE\InstallIQ]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014031720140318]

The PUP deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"

[HKLM\SOFTWARE\InstallIQ]
"test"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"

Dropped PE files

MD5 File path
6bec059e9f70b59873807c4f2a72a8b5 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\SymCCIS.dll
303f02fcd577a11acab7c3a36970e4be c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temporary Internet Files\Content.IE5\AXJ7IPU1\SCC[1].dll

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name: SafeInstall, LLC
Product Name: SafeInstaller
Product Version: 1.0.72.0
Legal Copyright: Copyright (C) 2014
Legal Trademarks:
Original Filename: safeinstall.exe
Internal Name: SafeInstaller
File Version: 1.0.72.0
File Description: Safe Installer
Comments:
Language: English (United Kingdom)

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 494937 495104 4.49559 79f82a13a49c4af97e56105203db816e
.text-qu 499712 3923 4096 4.19142 c228b851da5948298b88d0f68be44c9c
.text-co 503808 88205 88576 4.48498 2f42aaee8fba0023ededca09590de4fb
.text-co 593920 75433 75776 4.46199 bec45236b00d2c6df3523d3abeae3c59
.text-co 671744 48588 48640 4.49726 bbc1d90a9748a63315478d95a33581ab
.text-co 720896 14904 15360 4.40895 549da5eaa45276aef072ae9d0d48fac2
.text-co 737280 27320 27648 4.61595 cb725a9e61efca91b39ed98e633883c3
.text-co 765952 10272 10752 4.36435 35783d34da5aea49ae9ae220f91dc23e
.text-co 778240 263610 263680 4.59722 6130032b23e5b050f7ef6e091de45279
.text-ti 1044480 43367 43520 4.58486 8592313570f96ea9a1561a479718e67a
.text-co 1089536 16103 16384 4.37497 f049073835c36de1a89968d36253ad67
.text-co 1105920 59 512 0.606205 fd9b2190e38582cf67313d0dd565b92b
.text-co 1110016 12737 12800 4.42102 fff94e8753aacfac54a8e2f4400a0b1e
.rdata 1126400 266756 267264 3.8846 08eafd22a21d685373e8bbfdd4a5c06f
.data 1396736 27492 17408 3.39538 47aaca79819f8c4e6b08107eac1eb3f9
.data-qu 1425408 41 512 0 bf619eac0cdf3f68d496ea9344137e8b
.data-co 1429504 188 512 0 bf619eac0cdf3f68d496ea9344137e8b
.data-co 1433600 56 512 0.042395 1e293257cf493bcacc1f9d4b65c50fe8
.data-co 1437696 40 512 0 bf619eac0cdf3f68d496ea9344137e8b
.data-co 1441792 44 512 0.014135 2d5fe836dd5a60fa37b7c590cfc70410
.data-co 1445888 41 512 0 bf619eac0cdf3f68d496ea9344137e8b
.data-co 1449984 40 512 0 bf619eac0cdf3f68d496ea9344137e8b
.data-co 1454080 2932 3072 1.35606 dcd991a144b39f17d95b47640f8edfb7
.data-ti 1458176 1176 1536 1.01305 3b2768e897e8ea9ee1bf5c4827ee3ac6
.data-co 1462272 40 512 0 bf619eac0cdf3f68d496ea9344137e8b
.data-co 1466368 4 512 0.014135 d340f23a7d18057bb02252a3cb40b877
.data-co 1470464 40 512 0 bf619eac0cdf3f68d496ea9344137e8b
.rsrc 1474560 749052 749056 5.36252 3263057df44fe70e886260797de208b7

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL IP
hxxp://volumedl.com/cf5476cc-c061-4e3d-9a9c-a2d372d5ef85/1bfbc15c-3233-4b15-bd3c-cd88e1d3f937/94f9bb7f-80f3-454d-85e9-59d84db06066 66.77.96.162
hxxp://a568.d.akamai.net/upgrade/NSS/SymCCIS/Production/SCC.dll
hxxp://a568.d.akamai.net/upgrade/NSS/SymCCIS/Production/SCC/w3i/ENG.SCC.config.txt
hxxp://liveupdate.symantecliveupdate.com/upgrade/NSS/SymCCIS/Production/SCC.dll 212.30.134.212
hxxp://liveupdate.symantecliveupdate.com/upgrade/NSS/SymCCIS/Production/SCC/w3i/ENG.SCC.config.txt 212.30.134.212
stats.norton.com 63.245.197.112


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

POST /cf5476cc-c061-4e3d-9a9c-a2d372d5ef85/1bfbc15c-3233-4b15-bd3c-cd88e1d3f937/94f9bb7f-80f3-454d-85e9-59d84db06066 HTTP/1.1
Content-Type: application/json; charset=utf-8
Accept: application/json;
installerversion: 1
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)
Host: volumedl.com
Content-Length: 602
Cache-Control: no-cache

{"Content":"FrsQsDi7LOYAjhttwW2VRdfK0jpCMx3l6iYIV8EoK8i0kUoGpMvGcZkgQ9Ig6ErVm8q9vwcP5 NP ejJBPWcg7SgVCIOovjGgpqJn9EgqJJIUGzpE4syxwleaPmYZzck34wLUtT4IG8O3zq/J/I7pYkrum IqGMpKaxlvr8GaJBY4X8deuIataUdn ODlTVO9la0ZhanY5RtQKhLkfnB2SF/AhPjgCyxge4PXYPR1xc5RYl9e9ceEYUMbpa0f7M7rVkftOZtjzITsObMS3xPkLfv/M8k9FCIBFTUs4 RvUNYzB/VM0brhDaBqLbQauoAlS1KwytTB4fTvFlMmW4fWF1PmL0hvHRyBRu14esOewuU5J1OLWOGikv53EaBYnxvMWOtpjxEMmK9fhiV snVFqW6G95QftF1uvABKGFGJdCji4IvurCt0tWJZSXjTzv6hwK3MjhkeQ lMq4A3AO8KDrSnRfVJNbkYQoj4LXz18EQ5T6nxQj1cASbt6M4yY06eV ENQCpTwK/Z0myfob75FW0yCCczwC4be0LbM68BUKA6MiznGb1z 1JBCIBO3fYnJwd4okWwCwC"}
HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Content-Type: application/json; charset=utf-8
Expires: -1
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
P3P: CP="PSA OUR DEM"
X-Robots-Tag: noindex, nofollow
Set-Cookie: dtCookie=2$A18767427F2B2390C1C97B83B2240993|volumedl.com|1; Path=/; Domain=.volumedl.com
Date: Wed, 11 Mar 2015 22:26:01 GMT
Content-Length: 16190
{"Content":"FrsBtCa7IuEUhXc21yrUEJuOl39kKRPj9wcHGJ5xM4e2mloH54GZPMIyVJ
Vn6CCWxYLqpRY94KM8r/rCHOiS1ZSxUCgPrv7gkcvW3Mcu64IvF0OuW9oO5kU7Lo3DJnNt
3/9HEYLkYCEbxAK9IPM 6N0r6DnN9mkoMegk4uhHL7tnhnhQLfgOr8VKyqOJxmxP3gf0cR
K8cu4hFvxmxvbD2SR8UAr0kTy41alDTMiMklFkGoU5fZdHBZ4NbJu0YrpusQIE7ugj2j5A
ta2cHi8fn6P/tcZh5AbfAVmVosGfpQNC1xzWbBupkymdtLXSZ IMzHQX2ShJQIWY lAe3T
oJXxsQzbp57Dd0DU/19r4BflbAuZxCei6RzwH4hEqBYHU/Zy3 8m0Bbz 1LETcucacQ6T9
DItFO4Az7LJQJyEBYJbkw8Nz /fuj9uRJSjjWiepxkaoOXYrOVvtfNACwQv9aEPSyEvCCN
e6elRP27Tl84FMvy g00/6e27Y8dFpiZ8yOi/yOEm4KFLkdxTxadS1ikq7uCHLyljtfJsb
Lt3/VwfB4Iais2G7jPVHbw9MZCGsx9IA899czH5QCH5tMwXb39R6eZg6wiVdZIfrfgdOEQ
Aih6AoxPQ5c4s6AmBBDlgmxEFodgtw/4GJLzKPkofjUSfpF8RQ7Oa iEfUYcoCYRpLxb62
jIgcd0ZmnqRsxRYYFRUSQNXpubBurJelYQbXEDgt22QGHQ6qZx0uKyJpdSud9s423lGnZM
Um9bLtAmv7RI7ROdxVxmfg6hZ9W/U3nxNi7wC cvk4mJcZxvAwPXybUFuSpo0K1Rz1QDil
NKWTBcHN6gtIVpfVTheWjIPaGmeUW1nJmWuvjb o3SzQkagMDn8L0DAOrULLycEuv1JU7H
NhZNaMg4CKKQJ4AC4JWnWlBf4AaW4sYwbfnjMfgTnDb4roGFrIbCcclGTXCSu6kF4yAO6V
HSmtAIDPEm9rKkkLQnkbNyHR2NIqCPRsDtB6LZGcgtiuXLM7pp/zsIx5HvBTSt7SIQUWNg
Nc74OIFI8pGIsZcrYbZFdORyG4ad7DCnjjqf0Zi9eIT6LeMQoStXAztsDKwKTvacaU67LF
0F4jctsvtYcYlExP7hYUVL4LjXiEPt/rPcoUKqHyzYyWeYpCedhnPrMv0B2FwndQeiuO1u
zYQkMX8Bj5Ro3KCQQWpJzKJJQbMivDiK 94BeYz1SNF6bU/ hl7iQP6o5i68sdf1d8ROl4
FiEplye29eeQ1T8WcM2otp2nyXEg7q EkVdNTEYIunpYuwpY9gq2JCZKgz26LvqN8f2hy2
AM9cvprkteJKhhVNcwj4dM06/AvVB8okZtreklY8dDy7cHJIsXTy/ii1AYImxO1C1bfAbA
Z5FTlvKzGmHcI4ccNlf5/v/PSRsK9UbtmlJ7ilAvbW3QHERG/Vnf3T C6Ez3GSxfnNPXPl
OuR6VyNjwHY79r1ePGt xJ8/LpGGCrtLvg8HwRHM YbnuhPpuOac173uwKYfNRVGfG
<<< skipped >>>


GET /upgrade/NSS/SymCCIS/Production/SCC.dll HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: liveupdate.symantecliveupdate.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: Apache
ETag: "303f02fcd577a11acab7c3a36970e4be:1409925581"
Last-Modified: Fri, 05 Sep 2014 13:59:34 GMT
Accept-Ranges: bytes
Content-Length: 168288
Content-Type: application/octet-stream
Cache-Control: max-age=44
Expires: Wed, 11 Mar 2015 22:26:49 GMT
Date: Wed, 11 Mar 2015 22:26:05 GMT
Connection: keep-alive
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$.........r.........
........................E...............................Q.............
......................Rich............PE..L......T...........!........
.F............................................................@.......
..................E...........{.......=............x..`...........0...
......................................................................
.......text............X......PEC2TO...... ....rsrc.... ...........\..
............ ....reloc...............v..............@.................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
................................................/.....*..u?...._.Z.|'.
.Y9j1..V...*%O%.D.o....*/.}......}.p....H...\C...u.J...V...U$ Z!.....4
.=..`.r..9?o.m.z.6..L.6.pD.N..;.h ..c....".o....D.^......Q......I.y>
;.^....o.%-e=WR..K...l. ..K33..........^v....U. ....o[a..*...US...l.{.
OA........Be...9..Ybk.........n.. i!.$C.o.V..cT..7..o..1.'.(.B.i.LP$0{
;..E%...[..;x.0......k.aTS...j<.T[..>.Y..)L..J..........Y.}N.l.K
..|.&..g..b...."{b'.......?......Y%_A.N>I..A.......}..2......qe....
 .CqA..P.(4.P..9.J-R..[.m..........^...Z=.v....fq....E>/.R...r,
<<< skipped >>>

GET /upgrade/NSS/SymCCIS/Production/SCC/w3i/ENG.SCC.config.txt HTTP/1.1


Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: liveupdate.symantecliveupdate.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: Apache
ETag: "b8dbac3cc2be258b539c305a828416aa:1395133614"
Last-Modified: Tue, 18 Mar 2014 09:06:50 GMT
Accept-Ranges: bytes
Content-Length: 3216
Content-Type: text/plain
Cache-Control: max-age=424
Expires: Wed, 11 Mar 2015 22:33:09 GMT
Date: Wed, 11 Mar 2015 22:26:05 GMT
Connection: keep-alive
...<..iy..}...e_.k.2..#r...-..\\^../..SG>Jc.G2...S... .d".!..:.\
..A...='.... .......^....0...>.y..G...X...(.v..u.._...z.....#.[....
yIie.......G.^1h...-.....7i........L(,.t......<.3....9.&.......q...
..]O.6..A..h...^.:q.....X4a;T.....2.[.h. ..................`S...u.....
.\.y.-...b...YVPT.CqXK....c....\,....R.N.[..2.[.h. ..SV.3..-......#.!u
......A.S...^......o..p"d#../q...-.......0a.3.g. ..A...........{xE...%
.ws=....d'Y....C...$..k.7...4.]|....Z..L..R.O._S?.g........n..G.v...d.
...!........\r.T...V.{.]h2.Z.]I...S.}.B..}..._%.n.t.6XK..rK.v.K...3Na.
.-...?......~_.....9..|............!fr.qON".H .......[.k..&..1l.>a2
......3.C.#.A.y.....zx......4.."......u...%.....t.Nsb.&r..NS..]/.c^.j(
z0M..pSn.:..t.....&~...E.|ab.L..(}..8..S._3...r....H.Y....0f...X<..
U.o....b.g..U...av.....P#W..,.4..x..._..Y..D.......s...K.....8.....?.H
.P.L..b.H..J.R..y...........R......'@.l.. k.. .z..m..8.9h.....3#...hkO
.AiD....W>1...3...J.....eVqE.H.......v....._.........f..-0....@:...
.&.`.M.{...O.Ew.O..c..P.....(c...a;T......M~.1*.........hL..l.A....F}&
lt;)K.#.T.n.#..h{...U.&.`.M.{.di<:hTh.(............y..!.[.-RJ\...._
...Tp.PD"#.".E.....gu,.3..o(X...ZL.....eX.(...y\....t..py1...EE...R...
.DOQ.H. .y......S.f...x]v.R...?..8|...........f..-0..Z...u.n.......
..`..;.5.(...S...EE...R..l..*.].F.....$.u%.".IT.F.....$...(c...]O.6..A
[email protected]...._..w.....(i...g. ..A..jyE. ..B..cH..{j,g........(..
....!....,..........N..W.Q.M...<'..U...~.$}.Z..]/...:U..@p(U...~.$}
@.......%..h_...O]3...y..I.!.R....a......l..D.9:...K. .r.s.xa...H.
<<< skipped >>>

The PUP connects to the servers at the folowing location(s):

%original file name%.exe_348:

.text
`.text-quS
`.text-co
`.text-co8:
`.text-co (
`.text-tig
`.text-co;
`.rdata
@.data
.data-qu)
.data-co
.data-co8
.data-co(
.data-co,
.data-co)
.data-cot
.data-ti
.rsrc
CSShZ
t.ShPvR
CSSh4
CSSh9
CSSh>
CSShl
CSSh[
<-t}<.
<*u%F
CSSh`
<:%u4
t8Ht.HHt#
.FGy1
Af;FP}%S3
|$|.tD
#t.Ht
 2 34 567
u.SSV
1t.Ht
9sxv%UW
function not supported
operation canceled
address_family_not_supported
operation_in_progress
operation_not_supported
protocol_not_supported
operation_would_block
address family not supported
broken pipe
inappropriate io control operation
not supported
operation in progress
operation not permitted
operation not supported
operation would block
protocol not supported
operator
GetProcessWindowStation
Operation not permitted
Inappropriate I/O control operation
Broken pipe
0xX
Invalid CRT parameter
QuickStartApp.cpp
vi.engine.xml
chk_firefox
chk_chrome
OfferManager.cpp
position=%d, active=%d
%s[%d]
%d,%d,%d
** Debug mode: simulating stopping Firefox
** Debug mode: simulating stopping Chrome
%s must be closed before continuing. Press OK to close %s now. You may need to close %s manually.
Firefox
Google Chrome
%d err: %s
Chrome
firefox
chrome
opera
sxexaxrxcxhxpxrxoxtxexcxtxoxrx.xexxxex
view=%d,sel=%d,inst=%d,conf=%d,can=%d,err=%d,eid=%d,pos=%d,%s
control.txt
00000000-0000-0000-0000-000000000000
QuickStartProcess.cpp
%programfiles%\Free Offers from Freeze.com
disabling offer because system doesn't have Firefox
disabling offer because system doesn't have Chrome
%s[%s]: view=%s accept=%s
%s,%s
WindowsErrorCode
targetbrowser/key
%s:v=%s,id=%s,rc=%d,f=%d,e=%d,i=%s,p=%s,pb=%s,ex=%s,tr=%s,px=%d
%s:v=%s,rc=%d,os=%s,%s,%s|ie=%s
%d,%d,%s,%s,%s,%s
%d,%d,%d,%d,%d
%d,%d,%s,%s,%s,%s,%s
%d,%s,%s,%s,%s,%d,%d,%d,%d,%d,%d,%d,%d,%s,%s,%d,%s
offers
%s,%s,%s,%s,%s,%s,%s,%s
%s,%d,%s,%s
%s,%s,%u,%u,%d,%s
Unable to open thankyou page; url is empty or invalid!
statsd.response.txt
Web.Installer.VDI.CommError
Web.Installer.VDI.InstallError
Web.Installer.VDI.OfferDownloadError
Web.Installer.VDI.OfferInstallError
Web.Installer.VDI.OfferInstallFailed
hxtxtxpx:x/x/xdxlx2x.xvx4x7xixnxsxtxaxlxlxexrx.xcxoxmx/xlxmx/xbxuxnxdxlxexsx/xkxexexpxmxyxsxextxtxixnxgxsxxx/xkxexexpxmxyxsxextxtxixnxgxsxxx.xzxixpx
hxtxtxpx:x/x/xsxdxsxpxaxpxix.xcxoxmx/xaxpxix/xvxaxlxuxexsx
hXXps://search.yahoo.com/yhs/web?hspart=w3i&hsimp=yhs-syctransfer&type=W3i_DS,221,0_0,Search,20140522,19669,0,FF29,7635
hxtxtxpx:x/x/xdxlx2x.xvx4x7xixnxsxtxaxlxlxexrx.xcxoxmx/xlxmx/xbxuxnxdxlxexsx/xkxexexpxmxyxsxextxtxixnxgxsxxx/xsxpxvx1x.xzxixpx
spv1.zip
hxtxtxpx:x/x/xvxixnxsxtxaxlxlxexrx.xcxoxmx/xaxpxix/xtxrxaxcxkxoxfxfxexrxixnxsxtxaxlxlxdxextxaxixlxsx
hxtxtxpx:x/x/xvxixnxsxtxaxlxlxexrx.xcxoxmx/xaxpxix/xixnxsxtxaxlxlxexrxrxoxrx
session.response.json
postback.response.json
vmtest.txt
vmtest.txt is present, enbaling offers for vmtest
config.xml
pingurl
postbackurl
errorurl
statsdurl
uninstalloptionurl
encryptionkey
PingUrl
PostbackUrl
Config.cpp
stub.xml
.json
MainWnd.cpp
.html
OfferThread.cpp
Setting offer checkbox value: key=
COfferExe::GetXpiFilename
g:\winapps\windows\main\installer.quickstart.application\installer.quickstart.lib\OfferExe.h
configuration/downloadurl
configuration/downloadurl.64bit
configuration/msie.downloadurl
configuration/msie.commandline
configuration/firefox.downloadurl
configuration/firefox.commandline
configuration/chrome.downloadurl
configuration/chrome.commandline
configuration/allbrowser.downloadurl
configuration/allbrowser.commandline
configuration/regkeyadd
regkeyadd
configuration/ieregkey
ieregkey
configuration/firefox.pref
firefox.pref
configuration/firefox.xpimethod
configuration/firefox.xpilocation
configuration/firefox.xpidelete
LUA account detected, and flag lua_runasdesktopuser detected, forcing executeAsDesktopUser
configuration/iconurl
adding %s entry, ourVal='%s', theirVal='%s'
COfferExe::Download
Download url is empty!
_firefox is NULL!
COfferExe::OnInstall
Install is a dropfile; no exe to run...
Icon offer (in exe config) detected, running icon install
COfferExe::Run
COfferExe::HandleFirefoxOptions
firefoxoffer
HandleFirefoxOptions called with incorrect preferences set in config!
COfferExe::BuildCommandLine
msiexec.exe /i "%s" /qn ALLUSERS=2 REBOOT=ReallySuppress
msiexec.exe /i "%s" %s
Could not find firefox exe to install
Offer is installing XPI for Firefox 8 or higher, enabling GUI.
"%s" "%s"
"%s" %s
COfferExe::RunSearchProtectInstall
COfferExe::WaitForInstallProcess
OfferExe.cpp
COfferExe::WaitForProcessStarted
waiting for registry key:
COfferExe::WaitForRegistryValue
Registry key found.
Registry key found (64-bit).
COfferExe::WaitForFile
COfferExe::InstallXpi
Bad RegKeyAdd config; not correct format: (missing hive \ )
Bad RegKeyAdd config; not correct format: (missing , )
Bad RegKeyAdd config; not correct format: (missing = )
unable to set regkey from following RegKeyAdd:
RegKeyAdd:
unrecognized values in RegKeyAdd:
unable to set regkey from following IERegKey:
IERegKeyAdd:
unrecognized values in IERegKey:
COfferExe::FinishXpiInstall
COfferExe::CancelXpiInstall
COfferExe::RunIconInstall
%s_%s.url
configuration/url
configuration/msie.url
configuration/firefox.url
configuration/firefox.newtaburl
configuration/chrome.extensionid
configuration/chrome.extensionparam
All urls are empty!
COfferStartPage::InstallFirefox
_firefox is NULL!
** Debug mode: simulated setting Firefox startpage:
Error writing Firefox pref for startpage!
Error setting Firefox new tab!
Set new tab in Firefox.
Firefox startpage set successful.
chromeoffer
COfferStartPage::InstallChrome
_chrome is NULL!
** Debug mode: simulated setting Chrome startpage:
Error setting Chrome startpage: browser is still running!
Error writing Chrome pref for startpage!
Can't set new tab Chrome, function is implemented with Default Search.
Chrome startpage set successful.
OfferStartPage.cpp
startpageurl
oldstartpageurl
hXXp://ff.search.yahoo.com/gossip?output=fxjson&command={searchTerms}
configuration/msie.searchname
configuration/firefox.searchname
configuration/firefox.suggesturl
configuration/firefox.selectedengine
Error setting IE search: url is empty!
Internet Explorer version 6 or older does not support default search!
COfferDefaultSearch::InstallFirefox
** Debug mode: simulated setting Firefox default search:
Failed to write Yahoo xml for Firefox!
Firefox default search set successful.
COfferDefaultSearch::InstallChrome
** Debug mode: simulated setting Chrome default search by extension:
Failed to install default search extension for chrome!
Chrome default search set successful.
OfferDefaultSearch.cpp
searchurl
hxtxtxpx:x/x/xdxlx5x.xvx1xixnxsxtxaxlxlxexrx.xcxoxmx/x
PingResponse.cpp
targetbrowser/Key
PingThread.cpp
offer %s[%s]: isInstalled=%d canShow=%d
rule %s[%s]: isInstalled=%d
QuickStartDetectThread.cpp
ResourceThread.cpp
Response/url
passed
CRequirementManager::RunExecute
CRequirementManager::ParseExecuteResult
invalid flag in execute result:
Software\Microsoft\Windows\CurrentVersion\RunOnce
Running requirement.OnInstall:
Running requirement.OnCancel:
requirement.OnCancel is empty, skipping.
Running requirement.OnExit:
requirement.OnExit is empty, skipping.
%programdata%\W3i\UninstallHelper\iqu.ini
2.0.1.0
%xpxrxoxgxrxaxmxdxaxtxax%x\xWx3xix\xUxnxixnxsxtxaxlxlxHxexlxpxexrx\xixmxpxoxrxtx
quickstart.xml
quickstart%d.xml
Failed to save IQU data, too many import files in directory!
%xpxrxoxgxrxaxmxfxixlxexsx%x\xWx3xix\xUxnxixnxsxtxaxlxlxHxexlxpxexrx\xUxnxixnxsxtxaxlxlxHxexlxpxexrx.xexxxex
quickstart_si.xml
quickstart_si%d.xml
Failed to save SoftwareInfo data, too many import files in directory!
hxtxtxpx:x/x/xdxlx.xixnxsxtxaxlxlxixqx.xcxoxmx/xAxPxIx/xIxQxUx/xSxoxfxtxwxaxrxexIxnxfxox.xaxsxpxxx
UH executable not found!
"%s" /silent /noswinfo
%s:%d
handling firefox cookies...
FF.GetCookiesError
FF.NoCookies
firefox: no cookies found
FF.SetCookieError
FF.SetCookies
firefox: set cookies
getting firefox cookies for
CCookieManager::GetFirefoxCookies
Error enumerating firefox cookies!
firefoxenum
hXXp://
cookie.dat
Vista.NoResult
Vista.SavedLow
Vista.NoCookies
Vista.CopiedLow
%a, %d-%b-%Y %H:%M:%S GMT
cookieman.exe
Vista.ExtractError
Vista.CreateLowError
handling chrome cookies
Chrome.GetCookiesError
Chrome.NoCookies
Chrome: no cookies found
Chrome.SetCookieError
Chrome.SetCookies
Chrome: set cookies succeeded
getting Chrome cookies for
CCookieManager::GetChromeCookies
Error enumerating chrome cookies!
chromeenum
Safari.GetCookiesError
Safari.NoCookies
Safari.SetCookieError
Safari.SetCookies
Sending session request, url=
Request url is empty!
Request url is invalid!
ErrorLogger.cpp
explorer.exe
CDialogWindowJson::OnBeforeNavigate2, url=
DialogWindowJson.cpp
%s: view=%s accept=%s
chk_%s=
checkbox found; %s=%s
adding disclosure(%s): %s
installedbrowsers/firefox
installedbrowsers/chrome
installedbrowsers/opera
view.buildconfig.json
view.productconfig.json
ProgressDialog.cpp
Installing %d of %d
uninstalloption.exe
InstallIQFirefoxLock
configuration/postinstallexecute
configuration/postinstallexecuteintegrity
stopfirefox
stopchrome
disablechromeextensions
/msie.autoconfirm
/firefox.autoconfirm
/chrome.autoconfirm
COffer::WaitForFirefoxLock
Offer.cpp
_firefoxLock is already created!
Waiting for Firefox lock...
Firefox lock status:
Releasing Firefox lock
PostInstallExecute:
iexplore.exe
** Debug mode: simulating PostInstallExecute:
Cannot run post-install execute, file does not exist:
COffer::PostInstallExecute
PostInstallExecute command failed!
http:
Adding UH data: %s|%s,%s
Failed to extract uninstall option exe!
Error; uninstalloption.exe doesn't exist (after download and extract!)
Error copying uninstalloption.exe to program files!
error downloading uninstall option url!
%programfiles%\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe
hXXp://airdownload.adobe.com/air/win/download/latest/AdobeAIRInstaller.exe
"%s" %s "%s"
AdobeAirInstaller.exe
JsonResponse.cpp
%firefoxprofiles%
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\
Unknown uninstall key type encountered, skipping lookup
HRESULT:0x%X
crterr:%d
Win32Err:%d
@ line %d in function <%s>.
wininet.dll
Unknown error: %d
IDispatch error #%d
LoadLibrary failed in loading current exe:
CoreResource.cpp
CStringW.GetBuffer failed!
0xx
%s. {%s} @ line %d in function <%s> in module %s.
Win32Err:%d
HRESULT:0x%X
Error:%d
HttpStatus:%d
L%d:d.d.d_d:d:d.d
-- %s line %d --
[X]
ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789 /%d
%s_%x%x%x%x%x
CoreFile.cpp
Exception %X in module %s at: 0x%p.
dbghelp.dll
0x%p %s
CoreProcess.cpp
CCoreProcess::ShellExecuteCommand
ShellExecuteCommand:
CCoreProcess::ShellExecuteCommandAndWait
Failed to execute command:
CCoreProcess::CloseProcessWindowsByModuleName
CCoreProcess::GetProcessExe32
CCoreProcess::GetProcessExe64
kernel32.dll
CoreXml.cpp
_ftprintf_s failed writing header to
]/Key/text()
CCoreXml::ParseRequiredKeyValue
CCoreXml::ParseRequiredKeyInt
CoreThread.cpp
PTF://
hXXps://
CCoreSystem::GetWindowsVersionId
Missing windows version, check the code!!
CoreSystem.cpp
%s (Build %d)
CCoreSystem::CacheWindowsInfo
Unknown OS! Major: 0xX, Minor: 0xX
%windows%
%system%
Software\Microsoft\Windows\CurrentVersion
Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
Þsktop%
Þsktopdir%
%userprofile%
%s0x%.2x%.2x%.2x%.2x%.2x%.2x-
SOFTWARE\Microsoft\NET Framework Setup\NDP\v1.1.4322
SOFTWARE\Microsoft\NET Framework Setup\NDP\v2.0.50727
SOFTWARE\Microsoft\.NETFramework\policy\v1.0
3321-3705
SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\
Iphlpapi.dll
%windows%\Desktop
proc.vboxsvc
VBoxService.exe
proc.vboxtray
vboxtray.exe
proc.vmtools
vmtoolsd.exe
proc.hvsvc
vmicsvc.exe
reg.vboxguest
reg.vboxmouse
reg.vboxsvc
reg.vboxsf
reg.vboxvid
reg.vboxbios
reg.vboxsguest
file.vboxhook
%system%\vboxhook.dll
reg.vmvid
reg.vmpci
reg.vmdbg
reg.vmcrd
reg.vmmem
reg.vmmouse
reg.vmdsk
reg.vmtools
reg.vmsnap
reg.vmnet64
reg.hvgenctr
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
reg.hvvmbus
reg.hvvid
reg.hvscsi
SYSTEM\CurrentControlSet\Control\Class\{4D36E97B-E325-11CE-BFC1-08002BE10318}\0000
reg.hvinput
SYSTEM\CurrentControlSet\Control\Class\{745A17A0-74D3-11D0-B6FE-00A0C90F57DA}\0000
reg.vboxdisk
reg.vmdisk
reg.hvdisk
sng.vmt2
sng.vmt1
sng.vmt4
sng.vmt3
gen.dbg
CCoreRegKey::Create
Warning: HKEY_CLASSES_ROOT opened for writing! This can lead to unpredictable results.
CCoreRegKey::Open
RegCreateKeyEx failed on key=
RegOpenKeyEx failed on key=
Registry key is not open! (
CoreRegKey.cpp
CCoreRegKey::GetValueType
CCoreRegKey::GetValueSize
CCoreRegKey::GetValueString
CCoreRegKey::GetValue
CCoreRegKey::SetValue
CCoreRegKey::DeleteValue
RegDeleteKeyExA
CCoreRegKey::DeleteKey
RegDeleteKey failed on
RegDeleteKeyEx failed on
CCoreRegKey::EnumSubKeys
SHCopyKey failed for
CCoreRegKey::CopyTree
CCoreEntryPoint<long (__stdcall*)(struct HKEY__ *,char const *,unsigned long,unsigned long)>::LoadProcAddress
CCoreEntryPoint<long (__stdcall*)(struct HKEY__ *,char const *,unsigned long,unsigned long)>::CCoreEntryPoint
Advapi32.dll
UniqueId.cpp
subKey is NULL!
%u,%u,%u,%u
0.0.0.0
\/:*?"<>|
createurlfilefail
Failed to create URL file!
Encryption key not initialized!
%Y-%m-%dT%H:%M:%S
CommandLine.cpp
CoreEvent.cpp
shell32.dll
CoreVista.cpp
Software\Microsoft\Windows\CurrentVersion\Policies\System
HKEY_CURRENT_CONFIG
HKEY_LOCAL_MACHINE
HKEY_USERS
HKEY_CLASSES_ROOT
HKEY_CURRENT_USER
%s.%s
iexplore,ie.http
Failed to get IE version key!
Loading IE cookies for url:[
wrote %d cookies
CoreInternetExplorer.cpp
-noframemerging "%s"
ie.http\shell\open\command
Unable to find iexplore.exe, using shell execute (with possible warnings)
Default search regkey not found (may be a brand new install)
EnumSubKeys failed!
ieframe.dll
hXXp://VVV.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE8SRC
url is empty!
Replacing existing provider url:
Error setting provider url!
CCoreInternetExplorer::FindFirstHistoryUrl
findfirsturlfailed
FindFirstUrlCacheEntry() failed!!
FindUrlCache handle is null!! Did you call FindFirstHistoryUrl first??
CCoreInternetExplorer::FindNextHistoryUrl
findnexturlfailed
FindNextUrlCacheEntry() failed!!
FindCloseUrlCache() failed!!
CCoreInternetExplorer::FindCloseHistoryUrl
findcloseurlfailed
msgTitle is required!
msgText is required!
browser.search.defaultenginename
browser.search.selectedEngine
MozillaUIWindowClass
browser.startup.homepage
firefox.exe,firefox.url,firefoxportableurl,firefoxurl,firefox
MozillaWindowClass
Software\Mozilla\Mozilla Firefox
Failed to get Firefox version key!
CCoreFirefox::GetVersion
Profile%d
firefoxver
%appdata%\Mozilla\Firefox
Firefox versions prior to 3 are not supported by LoadProfileCookies!
profiles.ini
Loading Firefox3 cookies for url:[
%s=%s
cookies.sqlite
Enumerating Firefox3 cookies for
cookies.txt
Enumerating Firefox cookies for
Found partial cookie in Firefox profile:
firefox.exe
-requestPending -osint -new-window "%s"
PathToExe
prefs.js
%programfiles%\Mozilla Firefox
CoreFirefox.cpp
CCoreFirefox::GetPrefString
CCoreFirefox::SetPrefString
user_pref("%s", %s%s%s);
CCoreFirefox::SetDefaultSearch
searchUrl is empty!
Can't set search engine while Firefox is running!
suggestionUrl is empty!
Setting Firefox default search engine:
SuggestionUrl=
SearchUrl=
Failed to write search hash for Firefox!
Failed to write search engine plug-in xml for Firefox!
hXXp://VVV.mozilla.org/2006/browser/search/
browser.search.order.2
browser.search.order.1
downloads.sqlite
Failed to open downloads.sqlite database!
places.sqlite
select source from moz_downloads where source like '%%%s%%' order by id desc
Failed to open places.sqlite database!
select url from moz_places where url like '%%%s%%' order by id desc
CCoreFirefox::SetStartpage
browser.startup.page
cannot set startpage; firefox is currently running!
CCoreFirefox::SetNewTab
Cannot set newtab because firefox is running!
/SearchPlugin/Url
browser.newtab.url
browser.search.param.yahoo-fr
firefox pref: browser.search.param.yahoo-fr=
CCoreFirefox::WriteSearchHash
search-metadata.json
nss3.dll
CCoreFirefox::GetVerificationHash
secmod.db
By modifying this file, I agree that I am doing so only within Firefox itself, using official, user-driven search engine selection processes, and in a way which does not circumvent user consent. I acknowledge that any attempt to change this file from outside of Firefox is a malicious act, and will be responded to accordingly.
CCoreChrome::SetCookie
g:\winapps\windows\main\core.cpplib\core.cpplib.browser\CoreChrome.h
Chrome_WidgetWin_0
Chrome_WindowImpl_0
Chrome_WidgetWin_1
Chrome_RenderWidgetHostHWND
chrome.exe,chrome.hwd,chromehtml,chromiumhtml,chrome,chromium
CCoreChrome; Cookie file does not exist
%local_appdata%\Google\Chrome\User Data\Default\Cookies
select name, value, host_key, path, expires_utc from cookies where
Loading Google Chrome cookies for url:[
Enumerating Google Chrome cookies for
host_key like '%
Chrome cookie file does not exist
CCoreChrome::EnumCookiesLegacy
select host_key, name, value, path, expires_utc from cookies where host_key like '%
CCoreChrome::EnumCookiesV33
Enumerating Google Chrome cookies (v33) for
CCoreChrome::EnumCookieRowCallback
select host_key, name, value, path, expires_utc, encrypted_value from cookies where host_key like '%
Failed to decrypt chrome cookie:
CoreChrome.cpp
chrome.dll
Chrome cookie:
Unable to find chrome.exe, using shell execute (with possible warnings)
--new-window "%s"
ChromeHTML\shell\open\command
chrome.exe
%programfiles%\Google\Chrome\Application
%local_appdata%\Google\Chrome\Application
CCoreChrome::GetStartpage
session/startup_urls
CCoreChrome::IsMultiStartPageEnabled
/preferences/session.restore_on_startup
/manifest/chrome_settings_overrides/search_provider/
CCoreChrome::GetDefaultSearchUrl
%local_appdata%\Google\Chrome\User Data\Default\Web Data
search_url
SELECT value FROM meta WHERE key='Default Search Provider ID'
SELECT id, short_name, url FROM keywords where id = %s
default_search_provider_data/template_url_data
CCoreChrome::GetDSUrlFromPrefTemplate
{google:baseURL}search?q={searchTerms}&{google:RLZ}{google:originalQueryForSuggestion}{google:assistedQueryStats}{google:searchFieldtrialParameter}{google:bookmarkBarPinned}{google:searchClient}{google:sourceId}{google:instantExtendedEnabledParameter}{google:omniboxStartMarginParameter}ie={inputEncoding}
default_search_provider_data/template_url_data/short_name
default_search_provider_data/template_url_data/url
default_search_provider_data/template_url_data/id
CCoreChrome::GetPreference
CCoreChrome::LoadPreferences
%local_appdata%\Google\Chrome\User Data\Default\Preferences
CCoreChrome::LoadSecurePreferences
%local_appdata%\Google\Chrome\User Data\Default\Secure Preferences
%local_appdata%\Google\Chrome\User Data\Default\History
select url from downloads_url_chains where url like '%%%s%%' order by id desc
Found chrome extension
chrome_url_overrides
Setting chrome extension [
Software\Wow6432Node\Google\Chrome\Extensions
Installing extension from web store:
CCoreChrome::InstallExtensionFromWebStore
Software\Google\Chrome\Extensions
hXXps://clients2.google.com/service/update2/crx
Error setting update_url in registry!
update_url
%local_appdata%\Google\Chrome\User Data\Default\Extensions
CCoreFirefoxXpiInstaller::Install
CoreFirefoxXPIInstaller.cpp
CCoreFirefoxXpiInstaller::GetXpiInfo
install.rdf
xml.LoadBuffer failed on
Installing Firefox add-ons via package...
Create install.rdf failed!
Firefox.exe not found!
CCoreFirefoxXpiInstaller::InstallAsPackage
installiq.xpi
Running Firefox to install add-ons:
Error running Firefox!
CCoreFirefoxXpiInstaller::CreateInstallRDF
<?xml version="1.0"?><RDF xmlns="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"
xmlns:NC="hXXp://home.netscape.com/NC-rdf#"
xmlns:em="hXXp://VVV.mozilla.org/2004/em-rdf#">
<Description about="urn:mozilla:install-manifest">
<em:id>[email protected]</em:id>
<em:id>{ec8030f7-c20a-464f-9b0e-13a3a9e97384}</em:id>
<em:maxVersion>*.*.*</em:maxVersion>
CCoreFirefoxXpiInstaller::SetResult
Error creating install.rdf!
CCoreFirefoxXpiInstaller::GetExtensionsFolder
Installed Firefox extension:
Can't get Firefox default profiles folder!
g:\winapps\windows\main\core.cpplib\core.cpplib.browser\CoreSearchProtectorApp.h
kxexexpxmxyxsxextxtxixnxgxsxxx.xexxxex
hxtxtxpxsx:x/x/xixnxsxtxaxlxlxexrx.xfxrxexexzxex.xcxoxmx/xLxoxgxExrxrxoxrx.xaxsxpxxx
KxexexpxMxyxSxextxtxixnxgxsxXx
hxtxtxpx:x/x/xdxoxwxnxlxoxaxdx.xixnxsxtxaxlxlxixqx.xcxoxmx/xlxmx/xbxuxnxdxlxexsx/xkxexexpxmxyxsxextxtxixnxgxsxxx/xsxoxfxtxwxaxrxexixnxsxtxaxlxlxaxtxixoxnx_x1x3x4x7x1x.xexxxex
Software\Microsoft\Windows\CurrentVersion\Uninstall\Yahoo! Companion
Restoring V1 toolbar uninstall key...
Renaming V1 uninstall key...
Error replacing toolbar uninstall key!
Error opeing uninstall registry key in HKLM\
Sxoxfxtxwxaxrxex\xMxixcxrxoxsxoxfxtx\xWxixnxdxoxwxsx\xCxuxrxrxexnxtxVxexrxsxixoxnx\xUxnxixnxsxtxaxlxlx\xKxexexpxMxyxSxextxtxixnxgxsxXx
CoreSearchProtectorApp.cpp
Error removing V1 registry key from HKLM\
Error copying V1 registry key!
CCoreSearchProtectorApp.ShutDown: window not found
Error removing registry key from HKLM\
Software\Microsoft\Windows\CurrentVersion\Run
apiurl
offerurl
dsotherurl
spotherurl
%s/provider[%d]
hXXp://google.com
hXXp://bing.com
hXXps://VVV.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-us:IE-Address&ie=&oe=
firefoxsearch
chromesearch
firefoxstartpage
chromestartpage
keyword.URL
config.dat
Error replacing Yahoo Toolbar uninstall key!
Yahoo uninstall key not found
Software\Microsoft\Windows\CurrentVersion\Uninstall\
UninstallKey
ChromeSearchExtensionId
UninstallKey=
FirefoxPriorSearchUrl
ChromeStartPageExtensionId
FirefoxPriorStartPage
CoreBrowserOptionUninstaller.cpp
g:\winapps\windows\main\core.cpplib\core.cpplib.browser\CoreSafari.h
safari.exe,safariurl,safari
%appdata%\Apple Computer\Safari\Cookies\Cookies.binarycookies
Loading Safari cookies for url:[
CoreSafari.cpp
%appdata%\Apple Computer\Safari\Cookies\Cookies.plist
Failed to get Safari version key!
safari.exe
-url "%s"
Software\Microsoft\Windows\Shell\Associations\UrlAssociations\http\UserChoice
http\shell\open\command
Can't find shell associations or shell command reg keys!
CoreBrowser.cpp
Dll %s failed, resultcode = %x
SymCCIS2.zip
SymCCIS.dll
RunDLL productlist="%s" resultcodes="%s"
SCCLog.txt
SymCCISDll.txt
SymCCIS_CheckCriteria.txt
SymInstallStub.txt
Detect.cpp
/executeresult/text()
/execute/text()
Missing ExecuteResult in requirement config!
%programfiles%\iTunes\iTunes.exe
SOFTWARE\Microsoft\Windows Live\Messenger
msnmsgr.exe
ydetect.yas
ydetect.ytb
ydetect.yhp
Rules.cpp
RegKeyExists
regkey
firefoxprefs
chromeprefs
CDetectionYahooToolbar::IsInstalledFirefox
CLSID\{EF99BD32-C1FB-11D2-892F-0090271D4F88}\InprocServer32
%firefoxprofiles%\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}\install.rdf
KeyExists
SourceKey
hkey_current_user
hkey_classes_root
hkey_local_machine
hkey_current_config
multireg%d
multireg: unable to parse key:
multireg: key found:
1.1.0.6
//flag[%d]/text()
Cannot evaluate .NET Version, .NET may not be installed!
DetectionFile.cpp
wajam_validate.zip
wajamexemissing
extracted wajam exe file not found!
Timed out waiting for wajam_validate.exe!
Unable to get returncode from wajam_validate.exe!
wajam_validate.exe detection process result = %d
yahoo.com
live.com
google.com
ask.com
msn.com
aol.com
CDetectionFirefoxPrefs::OnEvaluate
DetectionFirefoxPrefs.cpp
CDetectionChromePrefs::OnEvaluate
DetectionChromePrefs.cpp
)] disabled because of minimum windows version.
minwindowsversion
DetectionRule.cpp
Disabled; Firefox is not installed
Disabled; rule target is not Firefox
Disabled; Chrome is not installed
Disabled; rule target is not Chrome
asktbdet.zip
Ask detection process result = %d
CoreWininet.cpp
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)
wininet: connecting to %s:%d
HTTPSendRequest:
wininet: HttpOpenRequest failed!
CCoreWininet::HTTPSendRequest
wininet: Request handle is NULL after HttpSendRequest!
httpopenrequest
unable to set wininet http decoding
httpreqerr
Content-Type: application/x-www-form-urlencoded
httpaddheaders
wininet: HttpAddRequestHeaders (post flag) failed!
Range: bytes=%u-%u
Range: bytes=%u-
httpaddheader
wininet: HttpAddRequestHeaders (range specification) failed!
wininet: HttpSendRequest failed! (verb=
httpsendreq
wininet: HttpSendRequest failed!
httptimeout
httpqueryinfo
wininet: HttpQueryInfo failed!
httpproxy
wininet: Server responded with error: %d, %s. %s %s
wininet: HttpSendRequest: status OK received
httpstatus
wininet: HttpQueryInfo for content range failed!
wininet: HttpQueryInfo for file size failed!
wininet: Operation cancelled by caller.
Software\Microsoft\Windows\CurrentVersion\Internet Settings
HTTP Status %d: %s
API url is invalid!
apiUrl is null!
%m/%d/%Y
Url is null!
%s, %s, l=0xx
[0x%X]
d:%s
01234567
%s(%s);
CoreJSON2.cpp
Node path not valid; node "%s" in path "%s" is not type Node!
PackageZlib.cpp
Error: %d bytes of %d read from file %s.
unzOpenCurrentFilePassword failed!
Error: %d bytes of %d were written to file %s.
unzOpenCurrentFilePassword failed! err=
Package.cpp
autorun.txt
CCoreSqlite::OpenDatabase
CCoreSqlite::CloseDatabase
CCoreSqlite::ExecuteStatement
dbexecerror
sqlite3_exec failed, returned error:
CoreSqlite.cpp
CCoreSqlite::StandardExecuteCallback
CCoreSqlite::PrepareCompiledStmt
Cannot prepare statement, sql is empty!
Failed to prepare compiled statement, sqlite returned error: %d
sqlempty
sqliteerror
CCoreSqlite::BindTextToCompiledStmt
bind text failed, errorcode=%d
CCoreSqlite::ExecuteCompiledStmt
sqlite3_step failed, errorcode=%d
CCoreSqlite::CheckStmtRowValid
sqlitestepfailed
Cannot get row results: statement has not executed!!
sqlite3_finalize failed, errorcode=%d
CCoreSqlite::CloseCompiledStmt
SQLITE_
d-d-d
d-d-d d:d:d
d:d:d
failed to allocate %u bytes of memory
failed memory resize %u to %u bytes
922337203685477580
API call with %s database connection pointer
RowKey
%s-shm
%s\etilqs_
OsError 0x%x (%u)
invalid page number %d
Recovered %d frames from WAL file %s
Bad ptr map entry key=%d expected=(%d,%d) got=(%d,%d)
%d of %d pages missing from overflow list starting at %d
2nd reference to page %d
Failed to read ptrmap key=%d
Page %d:
unable to get the page. error code=%d
failed to get page %d
freelist leaf count too big on page %d
btreeInitPage() returns error code %d
On tree page %d cell %d:
On page %d at right child:
Multiple uses for byte %d of page %d
Fragmentation of %d bytes reported as %d on page %d
Corruption detected in cell %d on page %d
Page %d is never used
Pointer map page %d is referenced
unknown database %s
Outstanding page count goes from %d to %d during this analysis
keyinfo(%d
%s(%d)
%s-mjX
foreign key constraint failed
unable to use function %s in the requested context
bind on a busy prepared statement: [%s]
abort at %d in [%s]: %s
zeroblob(%d)
no such savepoint: %s
constraint failed at %d in [%s]
cannot open savepoint - SQL statements in progress
cannot rollback transaction - SQL statements in progress
cannot commit transaction - SQL statements in progress
cannot %s savepoint - SQL statements in progress
SELECT name, rootpage, sql FROM '%q'.%s WHERE %s ORDER BY rowid
sqlite_temp_master
sqlite_master
cannot change %s wal mode from within a transaction
database table is locked: %s
cannot open value of type %s
statement aborts at %d: [%s] %s
cannot open view: %s
no such column: "%s"
cannot open virtual table: %s
cannot open %s column for writing
foreign key
indexed
misuse of aliased aggregate %s
%s: %s
not authorized to use function: %s
%s: %s.%s.%s
%s: %s.%s
%r %s BY term out of range - should be between 1 and %d
too many terms in %s BY clause
variable number must be between ?1 and ?%d
too many SQL variables
Expression tree is too large (maximum depth %d)
too many columns in %s
EXECUTE %s%s SUBQUERY %d
%.*s"%w"%s
misuse of aggregate: %s()
sqlite_rename_trigger
sqlite_rename_parent
%s%.*s"%w"
sqlite_rename_table
type='trigger' AND (%s)
%s OR name=%Q
table %s may not be altered
view %s may not be altered
there is already another table or index with this name: %s
sqlite_
sqlite_sequence
UPDATE "%w".sqlite_sequence set name = %Q WHERE name = %Q
UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d 18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Cannot add a PRIMARY KEY column
UPDATE "%w".%s SET sql = substr(sql,1,%d) || ', ' || %Q || substr(sql,%d) WHERE type = 'table' AND name = %Q
sqlite_stat1
sqlite_altertab_%s
SELECT tbl, idx, stat FROM %Q.sqlite_stat1
CREATE TABLE %Q.%s(%s)
DELETE FROM %Q.%s WHERE tbl=%Q
database %s is already in use
invalid name: "%s"
too many attached databases - max %d
unable to open database: %s
no such database: %s
database %s is locked
sqlite_detach
cannot detach database %s
access to %s.%s.%s is prohibited
sqlite_attach
%s %T cannot reference objects in database %s
access to %s.%s is prohibited
object name reserved for internal use: %s
too many columns on %s
duplicate column name: %s
there is already an index named %s
AUTOINCREMENT is only allowed on an INTEGER PRIMARY KEY
default value of column [%s] is not constant
table "%s" has more than one primary key
no such collation sequence: %s
UPDATE %Q.%s SET type='%s', name=%Q, tbl_name=%Q, rootpage=#%d, sql=%Q WHERE rowid=#%d
CREATE TABLE %Q.sqlite_sequence(name,seq)
CREATE %s %.*s
view %s is circularly defined
UPDATE %Q.%s SET rootpage=%d WHERE #%d AND rootpage=#%d
use DROP VIEW to delete view %s
DELETE FROM %s.sqlite_sequence WHERE name=%Q
table %s may not be dropped
use DROP TABLE to delete table %s
foreign key on %s should reference only one column of table %T
number of columns in foreign key does not match the number of columns in the referenced table
DELETE FROM %Q.%s WHERE tbl_name=%Q and type!='trigger'
DELETE FROM %Q.sqlite_stat1 WHERE tbl=%Q
unknown column "%s" in foreign key definition
indexed columns are not unique
virtual tables may not be indexed
there is already a table named %s
table %s may not be indexed
views may not be indexed
table %s has no column named %s
index %s already exists
sqlite_autoindex_%s_%d
INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
CREATE%s INDEX %.*s
DELETE FROM %Q.%s WHERE name=%Q AND type='index'
DELETE FROM %Q.sqlite_stat1 WHERE idx=%Q
no such index: %S
index associated with UNIQUE or PRIMARY KEY constraint cannot be dropped
a JOIN clause is required before %s
cannot modify %s because it is a view
unable to identify the object to be reindexed
table %s may not be modified
sqlite_version
sqlite_compileoption_get
sqlite_source_id
sqlite_compileoption_used
table %S has %d columns but %d values were supplied
%d values for %d columns
foreign key mismatch
%s.%s may not be NULL
PRIMARY KEY must be unique
table %S has no column named %s
no entry point [%s] in shared library [%s]
error during initialization: %s
sqlite3_extension_init
unable to open shared library [%s]
automatic extension loading failed: %s
foreign_keys
foreign_key_list
*** in database %s ***
unsupported encoding: %s
unsupported file format
malformed database schema (%s)
%s - %s
SELECT name, rootpage, sql FROM '%q'.%s ORDER BY rowid
database schema is locked: %s
unknown or unsupported join type: %T %T%s%T
RIGHT and FULL OUTER JOINs are not currently supported
cannot join using column %s - column not present in both tables
a NATURAL join may not have an ON or USING clause
cannot have both ON and USING clauses in the same join
COMPOUND SUBQUERIES %d AND %d %s(%s)
USE TEMP B-TREE FOR %s
SELECTs to the left and right of %s do not have the same number of result columns
no such index: %s
ORDER BY clause should come after %s not before
LIMIT clause should come after %s not before
sqlite_subquery_%p_
no such table: %s
sqlite3_get_table() called with two or more incompatible queries
cannot create INSTEAD OF trigger on table: %S
INSERT INTO %Q.%s VALUES('trigger',%Q,%Q,0,'CREATE TRIGGER %q')
cannot create %s trigger on view: %S
-- TRIGGER %s
no such column: %s
no such trigger: %S
cannot VACUUM - SQL statements in progress
PRAGMA vacuum_db.synchronous=OFF
SELECT 'CREATE UNIQUE INDEX vacuum_db.' || substr(sql,21) FROM sqlite_master WHERE sql LIKE 'CREATE UNIQUE INDEX %'
SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
SELECT 'CREATE TABLE vacuum_db.' || substr(sql,14) FROM sqlite_master WHERE type='table' AND name!='sqlite_sequence' AND rootpage>0
SELECT 'CREATE INDEX vacuum_db.' || substr(sql,14) FROM sqlite_master WHERE sql LIKE 'CREATE INDEX %'
INSERT INTO vacuum_db.sqlite_master SELECT type, name, tbl_name, rootpage, sql FROM main.sqlite_master WHERE type='view' OR type='trigger' OR (type='table' AND rootpage=0)
SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
vtable constructor failed: %s
vtable constructor did not declare schema: %s
UPDATE %Q.%s SET type='table', name=%Q, tbl_name=%Q, rootpage=0, sql=%Q WHERE rowid=#%d
no such module: %s
table %s: xBestIndex returned an invalid plan
%s AS %s
%s SUBQUERY %d
%s TABLE %s
%s USING INTEGER PRIMARY KEY
%s (rowid=?)
%s USING %s%sINDEX%s%s%s
%s (rowid<?)
%s VIRTUAL TABLE INDEX %d:%s
%s (rowid>? AND rowid<?)
%s (rowid>?)
cannot use index: %s
%s (~%lld rows)
at most %d tables in a join
the INDEXED BY clause is not allowed on UPDATE or DELETE statements within triggers
the NOT INDEXED clause is not allowed on UPDATE or DELETE statements within triggers
unable to close due to unfinished backup operation
SQL logic error or missing database
unknown operation
large file support is disabled
no such vfs: %s
unknown database: %s
misuse at line %d of [%.10s]
cannot open file at line %d of [%.10s]
database corruption at line %d of [%.10s]
SQLite format 3
REINDEXEDESCAPEACHECKEYBEFOREIGNOREGEXPLAINSTEADDATABASELECTABLEFTHENDEFERRABLELSEXCEPTRANSACTIONATURALTERAISEXCLUSIVEXISTSAVEPOINTERSECTRIGGEREFERENCESCONSTRAINTOFFSETEMPORARYUNIQUERYATTACHAVINGROUPDATEBEGINNERELEASEBETWEENOTNULLIKECASCADELETECASECOLLATECREATECURRENT_DATEDETACHIMMEDIATEJOINSERTMATCHPLANALYZEPRAGMABORTVALUESVIRTUALIMITWHENWHERENAMEAFTEREPLACEANDEFAULTAUTOINCREMENTCASTCOLUMNCOMMITCONFLICTCROSSCURRENT_TIMESTAMPRIMARYDEFERREDISTINCTDROPFAILFROMFULLGLOBYIFISNULLORDERESTRICTOUTERIGHTROLLBACKROWUNIONUSINGVACUUMVIEWINITIALLY
CREATE TABLE sqlite_master(
sql text
3.7.5
CREATE TEMP TABLE sqlite_temp_master(
zip 1.01 Copyright 1998-2004 Gilles Vollant - hXXp://VVV.winimage.com/zLibDll
unzip 1.01 Copyright 1998-2004 Gilles Vollant - hXXp://VVV.winimage.com/zLibDll
1.2.7
deflate 1.2.7 Copyright 1995-2012 Jean-loup Gailly and Mark Adler
inflate 1.2.7 Copyright 1995-2012 Mark Adler
&#xX;
%s="%s"
</%s>
<!--%s-->
%s='%s'
version="%s"
<![CDATA[%s]]>
standalone="%s"
encoding="%s"
CoreDialogCloseProcess.cpp
CoreHtmlDialog.cpp
onBeforeNavigate2 called, url=
CoreIEControl.cpp
uxtheme.dll
Error getting IExecAction!
CCoreWinTask::AddExecAction
CCoreOpera::EnumCookies
g:\winapps\windows\main\core.cpplib\core.cpplib.browser\CoreOpera.h
LoadCookies is not implemented for Opera!
CCoreOpera::SetCookie
EnumCookies is not implemented for Opera!
CCoreOpera::LoadCookies
OpenURL is not implemented for Opera!
opera.exe,opera.protocol,opera.url,opera,operanext,operastable
SetCookie is not implemented for Opera!
CCoreOpera::OpenUrl
opera.exe
Software\Opera Software
launcher.exe
%programfiles%\Opera
%programfiles%\Opera Next
CoreIEHost.cpp
m_WebBrowserEvents failed
IWebBrowser2 failed
_WebBrowserEvents failed
Not initialized or _webBrowser is NULL!
Sending Quit to web browser...
IWebBrowser failed!
_webBrowser->Quit failed!
CCoreIEHost::DeleteHistoryUrl
WebBrowser object is NULL!
CCoreIEHost.OnDocumentComplete:
Error: Collection didn't support IHTMLElementCollection!
*** set key code to 0 ****
G:\winapps\Windows\MAIN\Installer.QuickStart.Application\ReleaseNoMFC\quickstart.pdb
KERNEL32.dll
USER32.dll
OLEAUT32.dll
SHDeleteEmptyKeyA
SHLWAPI.dll
COMCTL32.dll
GetProcessHeap
GetCPInfo
ShellExecuteExA
SHELL32.dll
ole32.dll
PSAPI.DLL
VERSION.dll
USERENV.dll
InternetCreateUrlA
InternetCrackUrlA
InternetCanonicalizeUrlA
InternetCombineUrlA
FindFirstUrlCacheEntryA
FindNextUrlCacheEntryA
FindCloseUrlCache
HttpOpenRequestA
HttpAddRequestHeadersA
HttpSendRequestA
HttpQueryInfoA
WININET.dll
UrlEscapeA
SHCopyKeyA
gdiplus.dll
IsValidURL
urlmon.dll
GetWindowsDirectoryA
EnumWindows
EnumChildWindows
GetKeyboardState
GDI32.dll
RegCloseKey
RegCreateKeyExA
RegOpenKeyExA
RegDeleteKeyA
RegQueryInfoKeyA
RegEnumKeyExA
ADVAPI32.dll
CRYPT32.dll
zcÁ
.?AV?$_Ref_count@VCOfferExe@@@std@@
.?AV?$_Ref_count_obj@VCOfferExe@@@std@@
.?AV?$CStringT@DV?$StrTraitATL@DV?$ChTraitsCRT@D@ATL@@@ATL@@@ATL@@
.?AVCOfferExe@@
.?AVCCoreStringUrl@@
.?AV?$CFlags@W4WebArgFlag@@@@
.?AV?$CAtlArray@V?$CStringT@DV?$StrTraitATL@DV?$ChTraitsCRT@D@ATL@@@ATL@@@ATL@@V?$CElementTraits@V?$CStringT@DV?$StrTraitATL@DV?$ChTraitsCRT@D@ATL@@@ATL@@@ATL@@@2@@ATL@@
.?AV?$CCoreEntryPoint@P6GJPAUHKEY__@@PBDKK@Z@@
.?AVCCoreRegKey@@
.?AVCCoreFirefox@@
.?AV?$CFlags@W4CoreFirefoxCache@@@@
.?AV?$_Func_impl@U?$_Callable_obj@V?$_Bind@$00XU?$_Pmf_wrap@P8CCoreChrome@@AEXPAVCCoreSqlite@@PAV?$CStringT@DV?$StrTraitATL@DV?$ChTraitsCRT@D@ATL@@@ATL@@@ATL@@@ZXV1@PAV2@PAV34@U_Nil@std@@U56@U56@U56@U56@@std@@QAVCCoreChrome@@AAV?$_Ph@$00@2@PAV?$CStringT@DV?$StrTraitATL@DV?$ChTraitsCRT@D@ATL@@@ATL@@@ATL@@U_Nil@2@U72@U72@U72@@std@@$0A@@std@@V?$allocator@V?$_Func_class@XPAVCCoreSqlite@@U_Nil@std@@U23@U23@U23@U23@U23@@std@@@2@XPAVCCoreSqlite@@U_Nil@2@U52@U52@U52@U52@U52@@std@@
.?AVCCoreChrome@@
.?AV?$CFlags@W4CoreChromeCache@@@@
.?AV?$_Func_base@XPAVCCoreSqlite@@U_Nil@std@@U23@U23@U23@U23@U23@@std@@
.?AV?$_Bind@$00XU?$_Pmf_wrap@P8CCoreChrome@@AEXPAVCCoreSqlite@@PAV?$CStringT@DV?$StrTraitATL@DV?$ChTraitsCRT@D@ATL@@@ATL@@@ATL@@@ZXV1@PAV2@PAV34@U_Nil@std@@U56@U56@U56@U56@@std@@QAVCCoreChrome@@AAV?$_Ph@$00@2@PAV?$CStringT@DV?$StrTraitATL@DV?$ChTraitsCRT@D@ATL@@@ATL@@@ATL@@U_Nil@2@U72@U72@U72@@std@@
.?AVCCoreFirefoxXpiInstaller@@
.?AV?$_Ref_count_obj@VCCoreOpera@@@std@@
.?AV?$_Ref_count_obj@VCCoreChrome@@@std@@
.?AV?$_Ref_count_obj@VCCoreFirefox@@@std@@
.?AV?$_Ref_count_obj@VCDetectionChromePrefs@@@std@@
.?AV?$_Ref_count_obj@VCDetectionFirefoxPrefs@@@std@@
.?AVCDetectionFirefoxPrefs@@
.?AVCDetectionChromePrefs@@
.?AV?$CAtlArray@UWebArg@@V?$CElementTraits@UWebArg@@@ATL@@@ATL@@
.?AVCCoreWebArgs@@
.?AVCCoreSqlite@@
.?AV?$CAtlArray@PAV?$CAtlMap@V?$CStringT@DV?$StrTraitATL@DV?$ChTraitsCRT@D@ATL@@@ATL@@@ATL@@V12@V?$CElementTraits@V?$CStringT@DV?$StrTraitATL@DV?$ChTraitsCRT@D@ATL@@@ATL@@@ATL@@@2@V32@@ATL@@V?$CElementTraits@PAV?$CAtlMap@V?$CStringT@DV?$StrTraitATL@DV?$ChTraitsCRT@D@ATL@@@ATL@@@ATL@@V12@V?$CElementTraits@V?$CStringT@DV?$StrTraitATL@DV?$ChTraitsCRT@D@ATL@@@ATL@@@ATL@@@2@V32@@ATL@@@2@@ATL@@
.?AVCCoreSqliteResult@@
.?AVexecution_error@TinyXPath@@
.?AVCCoreOpera@@
.?AV?$CFlags@W4CoreOperaCache@@@@
.?AVCCoreWebBrowserEvents@@
.?AUDWebBrowserEvents2@@
c:\%original file name%.exe
@.reloc
Vista.BadArgs
\cookie.ini
\cookie.dat
Vista.BadArgs2
Domain%d
Name%d
\cookie%d.dat
\cookie%d.ini
Vista.NoAppLow
Vista.WideFail
Vista.GetCookieFail
Vista.AllocFail
Vista.CreateFileError
Vista.WriteFileError
Vista.SetCookie
SetCookie%d
Vista.SetCookieError
Error: %d. %s
g:\winapps\Windows\MAIN\Installer.QuickStart.Application\ReleaseNoMFC\Installer.CookieMan.pdb
<requestedExecutionLevel level='asInvoker' uiAccess='false' />
3 3%3,323
.ao &
$.OA[W
C_.jN
fs.MJ
\%S6j
<.Vmx
<R.RI
;.Ur?
7:.Vmeu
-N.sZ
v.GEJh
}N5%d
.nX9k
U;9%u
g 8%U
'/O.Axy
f7%X[
@: .pI^
wajam_validate.exe
R2dmjg
UfgjoTakI kOh2sBpiiXQ5aHkH54PEyalEhJGoQ2f4 uk1sGoYXOdYFzCZI5/TeVls r8Udpp Ur/PrBSOmAlcbwDilP Lu839yPgYtx58cRG16ybPJ7iEc3MKjKJXR8k6QIRJ70KWcCzBy2NPg3uNsm8yXW9Cdpf/MusJAgav8riCdcIbpG9pgfnP2OmSQVgx31PUv7ILFrQKFjmL7F5RtsER/hzD 9hvQZR4TdwFphHtMsLckLUtBaN9ftO povm0jrfFgmzdSs6XKFTgU2bHk95EmrEvIB1yEv9/U x8nqUiGdhS6kyODsrHYbedGkTZLyjAJQJTTpllBmWtVMCMd2f5q6Wp8AhjiqbYHJkbVrZVUNjnLlVv31kyJL3dhMjrw 3JXJD7nLkeSu96bF7 pRI9CP9ws5udZJzlCftCyhoN4vOf628yENiLxTDSi3ArzZShtZxO9cs9UgwS2bxaZmBafVdemJwMehKrmuopL9HSg1UyxZ2fQ89twhJo0Pzv5IkmyNFbqdhSkINK2j0mgunnV3hy6ftoLb4fCahCC8pOtp2z/mbUKLgxWZTmwlYQc95ED2ScQAGcyeBfeg4J8etF2k2ZTNpT0KAsQD0kuwPsnhqE7bZA7GWdLAAUszEZgZ0h4qdiHPWWMiMbhD3O3TZMb6bb/zwWSc9FeKkIQ1bjmlJgINREz3fEuh0pZSUtEH8Dq8aAr88nyLQSOTWk/1XhRGw/gaAs6diQlJGja55pnj0 yOZt5o6D DmT7VZacUaUGjyiuvxctE7hz31c65lj6MaQ7gYFYhKh8Z3/SXkTH 80I3xW8QWSnO/fHAZrCpE0OX9WTDUjCzIfJECPUCwuSmSr03vX4m2 YnK9dQSEM02dW6RWTidN6 w5H52kvIofIx9rVc1F0TThIGCHjDOYffiB8dEOCwXAT0y7Ob4/wDU AJmFGmSeRADb6x1xkDqPPXHP1Dd MVDQhbRdFChF/c26DkYplU7UxUIIzfYHD2pTgWLUtoJ2378YyFs1vXs/eI1oEPhBS6ICVDoEpFMdKPasEch1BWSLpb9LZCmjipPsQwIPZFvuIdldwyj5n5JnUiePZVYqN5fyCxUoleMAlrpMZlkVH7RBYBfZNkXPFa8qtL8sSMaP53IuWNMcdIYM aOwzvHTGjSIeMi6Ox/ffRVEZ/AisGdmcTEgWuJLRP4JJZHiBnrm9/RyZ0hTSF6PE/6ou8z8U/IZh75t8GhY4CagqEyk7i2nj4PGI0X1VZMC1tYK 3jw89aSOyApATUYDunZWsgJK xm0JDocwDmtZZKr87zthzMY88bgqV1BKLktDcYuxNNc3q3Mp19jtQk0uPUzY9ZR5NJBYs5FAH6ssV9JJ3pf12ZdfBvUf4RNy6j/TT fL5VUMlXg bGcG0kQoh39l1FumUEyfXfEFh85nh3dxymMvgWiCi9DhsLcI1L7DvIsKmxNP7B61/LLrPZD/6K8CXKiteDB2D1SSIbSfjfyJJqPbY013voYbe5JRGfZOGyovm7SOHzXf/ElQ0bmHRMwGx5jiZhKZ5sHxT1HwkR1bwzBCpRwgXjwc079tl7FhhX4hxTQx5hRXipAv7ZyF1X3u5MW8zNYVo1vP3PaDQvCFtl0Kzf7a/PSZhsx8SVO4gKrrREYtKTXyVqwMEyog9O EX/bwmJjVG4wUKZCvtbXm54Hjr2Zm8oGK593kuz8hwMOBxolreFQMXeXUJmOi4yjkHbj5Dzde91ZLCEcRwmj2K9uFPMr8axrYg0 U94zAuepl8F8gLMzvnFjHvVhycdzsvoLFNN7aDAsBMZY7ZcA8GjjCPbt7yZmw8ZxddWj8kfu017O8Dw1hNdc2xeqhUP/3LeaGfbVOAXpsvYRjAioj2 VrNZk9cmjxRhPl2/kt1RcvuG2bLFTifcrn eJ79JjY4ZFDPv7fI8zM 0BDIdY5lfHbdWTC1LgxG77HLIGpJGPrhV9YNrWRA5edPsWgOiMRqK3OIP8YevO3BPkySxaoP1YbR7akmZTUk4dy2jSuxnb8ZxZrom30oOw64A9ZLhUQKyZDfBRjFxyGES3ymrTxs CLsq3vnddnYM1fTTHARughaggyTWHL3rquMlaxYL2X7ppOd28dhOdPiBOr8AtslhEtgdcJ67Dxg3PVZLHN0iN9fg57tFGN jDoWC1BEzij lZb2cFnJ8Wog0OZGbtl OkyhiH4eqWuiRyQzvDqULhxahGlxfd9IdHSTuYaySP//s7dPodP6FmjZNByYbb9ZLxlOAebGgKist25agUnBce9a5BXcV3Os6K9jjcDFY5 4KpAc5y6GBIRiOOMclJl1EeA4/aR0zfnyV1Fs1yVtl1rnusmPsV9YYOpYfEFhuu6JZOX4SXxnp9ufctUFpYUvgVpbARS3kjjV/PY3Vr68IW1X1nFT0Kay0Xwzi67GpbS0p69NZEl3/S18HNUQsgsX/K55VEiLYFUwEA151QqexxE7FmD70yB3Go3TY36EFcfuNYpfp8dYe6SG0QAMp IuSfkkUCMAi K16pP44PfYAT3qcPlIW76bmrAf4yFcUE6mxSwasXFtImJaJ7U5100dpcva2N1EPI1xPotI1LfU1sOXzHzAma2vtY1JzOKG266/OYR5y2qlvG/hPsZjEUVYXVaQ==PK
op.YI<F
i8bB .jH
76_5-{<.
.cc,vNT
%uD7b
&k%f" 
m7%Fm
fW.oxBQ
#C.jK
m.akV
.ko &
csqL
`R7%f
@bÎT
`>2A.er
&.eEu
55997C50-1F00-4D74-BAEF-46A658272B17.zip
E9E56BE3-7EC7-450B-9C2E-BA9B0BCD6B05.zip
4594AF2F-4D07-4B39-B15B-443A87882878.zipi4
AFB3988D-640F-43BB-8422-D40ED6AA32BE.zip
F80287B7-718C-4676-AC71-3F1AB04A60E1.zipv
B7109C6A-73CA-4979-B038-5AE45CBE649F.zip
AD04DC3C-8B12-4879-83E3-523DF600D9DE.zip
theanswerfinder.vi.zip
099AEF6E-E690-4A5C-85F8-481343649504.zip
E92D7B47-33AD-4469-81D4-CB551DE8DDA8.zip
7E447291-0A05-4EB1-98E9-49ECF3C139D1.zip
BB13E620-1EBA-47D8-A623-39986DE12F1F.zipT/|
B2B00637-BC0D-48D8-B686-9F13DA5E04A1.zip
42FDD0AA-EAD7-45DD-8421-47492FCFF9DB.zip
7BAB633E-6C2D-45CC-BFE3-A79142FDABBF.zip
73EB1E3A-0BE4-4F19-8F38-6B2B93DB1927.zipj
5C22ACAC-4D3A-4D89-9980-81FBB493E7B8.zip
C4B20519-3B35-4A1C-BB5C-695D80D9C28D.zipmP
ECBFC9AB-A637-4487-9A66-817881951C55.zipU!*-2E
8BF6320F-C08A-446A-80A8-FBCCDBA35CB7.zip
B88FF7FD-BE0E-44BC-97BC-D6943F9F8A86.zipH
80A3CCD4-64BC-4AF8-853B-ABA075AE5218.zip
0393A455-8396-4E79-8339-7DAEDC83567B.zip
441493C8-0E32-4504-B8CC-7851FFF110EC.zip
13D66679-5DC0-48AA-BB42-E7BD34CEBAE2.zip
`&.YH
404D0823-2D00-44F7-AC98-92F79F87E4F2.zipK
AF33782B-57D0-466B-831D-0CE47455F809.zip
9332870F-9082-4684-AFF2-8C852FCEE8D7.zip
F3DA0320-7EB0-4648-BE62-3B08958C9B3E.zip(
4FFA1EE1-2AD7-40C8-9643-B801D9DED1A0.zip
224505F1-4910-4879-A9AD-B70D1AE1A120.zipn*
66DFABC3-9023-45A3-A5DE-FA8CAAEF0AAC.zipK&
2E076E93-E171-4F73-A0D5-5BFDDE0E4783.zipZ
DF86C614-36F8-4BE3-A1A0-78E774802EE7.zipM
2704D408-C40A-4848-BC30-B5478423E8C9.zipM
BF68CAAA-24EB-4A90-94B1-A68D8718116D.zip
1E00B2CE-84B4-4764-A567-81130045EEE4.zipl!
226383C9-5E0D-4ABD-8308-30F31DD040A6.zipp
B7F6A91D-8542-4B59-A285-EF08E6922F28.zip
F5C1E3BE-C571-4295-82AB-9C78A7DFD0BA.zip
8C58D003-E863-4399-A7CF-A32275393FD1.zip
F3823C96-34C1-478F-BA9E-3F84F3D6094F.zipE
225E5BB2-B83F-478E-B774-62F53C2BCAD7.zip
$%f.r
3927F92B-2CF0-4555-8A62-C42865E873C2.zipdb
1D677809-65E4-4CBA-B3B2-1705755F5F07.ziplz
00EB7EC2-4B2C-4603-9043-79A1C36414EE.zip
7D03F38F-AF42-4EAB-837C-E8B4B2D9B644.zip
{ol`%X
D21384DD-7E7F-4D84-9C43-6D82036FA24F.zip
~o$(%x
.ybyZ
.uu"`%
?k{H<.dV
<uC.BI[
.PIE'|
P;{7%S~V
.XEw U
.hGlp
mediaplayer_12478.txt%
config.xmlPK
55997C50-1F00-4D74-BAEF-46A658272B17.zipPK
E9E56BE3-7EC7-450B-9C2E-BA9B0BCD6B05.zipPK
4594AF2F-4D07-4B39-B15B-443A87882878.zipPK
AFB3988D-640F-43BB-8422-D40ED6AA32BE.zipPK
F80287B7-718C-4676-AC71-3F1AB04A60E1.zipPK
B7109C6A-73CA-4979-B038-5AE45CBE649F.zipPK
AD04DC3C-8B12-4879-83E3-523DF600D9DE.zipPK
theanswerfinder.vi.zipPK
099AEF6E-E690-4A5C-85F8-481343649504.zipPK
E92D7B47-33AD-4469-81D4-CB551DE8DDA8.zipPK
7E447291-0A05-4EB1-98E9-49ECF3C139D1.zipPK
BB13E620-1EBA-47D8-A623-39986DE12F1F.zipPK
B2B00637-BC0D-48D8-B686-9F13DA5E04A1.zipPK
42FDD0AA-EAD7-45DD-8421-47492FCFF9DB.zipPK
7BAB633E-6C2D-45CC-BFE3-A79142FDABBF.zipPK
73EB1E3A-0BE4-4F19-8F38-6B2B93DB1927.zipPK
5C22ACAC-4D3A-4D89-9980-81FBB493E7B8.zipPK
C4B20519-3B35-4A1C-BB5C-695D80D9C28D.zipPK
ECBFC9AB-A637-4487-9A66-817881951C55.zipPK
8BF6320F-C08A-446A-80A8-FBCCDBA35CB7.zipPK
B88FF7FD-BE0E-44BC-97BC-D6943F9F8A86.zipPK
80A3CCD4-64BC-4AF8-853B-ABA075AE5218.zipPK
0393A455-8396-4E79-8339-7DAEDC83567B.zipPK
441493C8-0E32-4504-B8CC-7851FFF110EC.zipPK
13D66679-5DC0-48AA-BB42-E7BD34CEBAE2.zipPK
404D0823-2D00-44F7-AC98-92F79F87E4F2.zipPK
AF33782B-57D0-466B-831D-0CE47455F809.zipPK
9332870F-9082-4684-AFF2-8C852FCEE8D7.zipPK
F3DA0320-7EB0-4648-BE62-3B08958C9B3E.zipPK
4FFA1EE1-2AD7-40C8-9643-B801D9DED1A0.zipPK
224505F1-4910-4879-A9AD-B70D1AE1A120.zipPK
66DFABC3-9023-45A3-A5DE-FA8CAAEF0AAC.zipPK
2E076E93-E171-4F73-A0D5-5BFDDE0E4783.zipPK
DF86C614-36F8-4BE3-A1A0-78E774802EE7.zipPK
2704D408-C40A-4848-BC30-B5478423E8C9.zipPK
BF68CAAA-24EB-4A90-94B1-A68D8718116D.zipPK
1E00B2CE-84B4-4764-A567-81130045EEE4.zipPK
226383C9-5E0D-4ABD-8308-30F31DD040A6.zipPK
B7F6A91D-8542-4B59-A285-EF08E6922F28.zipPK
F5C1E3BE-C571-4295-82AB-9C78A7DFD0BA.zipPK
8C58D003-E863-4399-A7CF-A32275393FD1.zipPK
F3823C96-34C1-478F-BA9E-3F84F3D6094F.zipPK
225E5BB2-B83F-478E-B774-62F53C2BCAD7.zipPK
3927F92B-2CF0-4555-8A62-C42865E873C2.zipPK
1D677809-65E4-4CBA-B3B2-1705755F5F07.zipPK
00EB7EC2-4B2C-4603-9043-79A1C36414EE.zipPK
7D03F38F-AF42-4EAB-837C-E8B4B2D9B644.zipPK
D21384DD-7E7F-4D84-9C43-6D82036FA24F.zipPK
mediaplayer_12478.txtPK
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="*" publicKeyToken="6595b64144ccf1df" language="*"></assemblyIdentity></dependentAssembly></dependency><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="requireAdministrator" uiAccess="false"></requestedExecutionLevel></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"><application><supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"></supportedOS><supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"></supportedOS><supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"></supportedOS></application></compatibility></assembly>PADPADD
Emscoree.dll
- CRT not initialized
- Attempt to initialize the CRT more than once.
- floating point support not loaded
USER32.DLL
combase.dll
777705555443332
5555443332
5555443332
mscoree.dll
_T{hfiws| sijn^sftqawlbl^edro jnye{esdasf zahnj pimn{tpeer|nce|tx _cfojndnte^c^trioo]ns ]aqvoatitl|a`bol_ee ^ifnf ko_rhdoehrf `tfof bcloanstwiqneuxea lwciftvhl gtrhle^ sicn|sitgailel|adtpisoenq.u a dP]lye|a^sfet jdvizslalbyl{ee `axnhy{ jf|i{rneswuaml]lrss `awnkdy ^mmaukoe^ lsauwrhej wyboyu_ cadrhev pceoincnseycrtwelds ]troh utnhxek kiunhtleyrunieatq,f ea]njdy {rwemt{roym rt{heeh kinnnsat_aslbleaztsioounb.k
_Y{ofuw |msujs^tf qbweb ^ldoogjgye{ds aifnz hajsp ma{np ea|dcm|ixn_ifsjtdrta^t^orro ]tso] qcootmtp|l`eot_ee ^tfhfek _ihnoshtfa`lflfabtliaosnw qoenx atlhcifsv lcgormlp^ustce|ri.g iPel|edapssee qluoagd ]iyn| ^ufstijnvgz lyloyu{re `axdhm{ijn|i{sntsruamt]orrs `awckcyo^umnuto ^alnadw hrjewtbryy_ ctdhhev pienisctsaylrlwaltsi]ornh.u
_T{hfiws| sijn^sftqawlbl^edro jrye{qsuaifrzehsj pImn{tpeer|nce|tx _Efxjpdlto^r^erro ]vse]rqsoitotn| `6o _oer^ fhfikg_hheorh.f `Pflfebalsaes wuqpedxaatlec fyvolugrr lc^osmcp|uitgeire |adnpds erqeutardy] yt|h^ef tijnvsztlallyl{aet`ixohn{.jTSfoprkr_ye!b
cPflvelagsrel ^dsics|aibgliee |adnpys efqiuraedw]ayl|l^sf tajnvdz lmlayk{ee `sxuhr{ej |y{onus uamr]er sc`ownknye^cmtueod^ ltaow htjhweb yi_nctdehrvnpeeti,c saynrdw lrse]trrhyu ntxhkek uihnlsytuailalqaftei]ojny.{
Ifnpskt_aelblqe_r{ fiws| sujn^afbqlweb ^tdoo jsyt{asratf.z hPjlpema{spee |ccl|oxs_ef jadltl^ ^ortoh]esr] qaoptptl|i`coa_tei^ofnfsk _ahnodh ft`rfyf balgaasiwnq.e
1.0.72.0
safeinstall.exe

%original file name%.exe_348_rwx_00ED0000_00002000:

The procedure %s could not be located in the DLL %s.
The ordinal %d could not be located in the DLL %s.

%original file name%.exe_348_rwx_01080000_00002000:

The procedure %s could not be located in the DLL %s.
The ordinal %d could not be located in the DLL %s.

%original file name%.exe_348_rwx_10001000_00082000:

SSSSh
tcPW
QSSSSSSh
t%SWh
1.3.6.1.4.1.311.10.3.5
1.3.6.1.4.1.311.10.3.6
1.3.6.1.5.5.7.3.3
2.5.4.6
2.5.4.8
2.5.4.7
2.5.4.10
2.5.4.11
2.5.4.3
WINTRUST.dll
CRYPT32.dll
{X-X-X-XX-XXXXXX}
operator
GetProcessWindowStation
SCC_CheckCriteria_Web
RegOpenKeyTransactedW
RegCreateKeyTransactedW
RegDeleteKeyTransactedW
RegDeleteKeyExW
2.1.0.20
CryptCATCatalogInfoFromContext
CryptMsgClose
CertCloseStore
CertFreeCertificateContext
CertFindCertificateInStore
CryptMsgGetParam
CertGetEnhancedKeyUsage
CertNameToStrW
CertGetNameStringW
URLOpenStreamW
urlmon.dll
DeleteUrlCacheEntryW
HttpOpenRequestW
HttpAddRequestHeadersW
HttpSendRequestW
WININET.dll
KERNEL32.dll
USER32.dll
RegCloseKey
RegOpenKeyExW
RegDeleteKeyW
RegCreateKeyExW
ADVAPI32.dll
ShellExecuteExW
SHELL32.dll
ole32.dll
SHLWAPI.dll
USERENV.dll
GetProcessHeap
GetWindowsDirectoryW
GetCPInfo
MsgWaitForMultipleObjectsEx
RegEnumKeyExW
RegQueryInfoKeyW
OLEAUT32.dll
SHDeleteKeyW
SHDeleteEmptyKeyW
SYMCCIS.dll
zcÁ
c:\%original file name%.exe
0xX
..\Source\ccVerifyTrustStatic.cpp
%SymEFA%
EFACli.dll
CLSID\%s\LocalServer32
CLSID\%s\InprocServer32
NTDLL.DLL
..\Source\ccVerifyTrustImpl.cpp
..\Source\FileCache.cpp
g..\Source\VerifyFile.cpp
..\Source\ccVerifyTrustPolicy.cpp
..\Source\CatalogIterator.cpp
..\Source\CatalogFileHash.cpp
WinTrust.dll
..\Source\CatalogContext.cpp
..\Source\ccSymModuleLifetimeMgrImpl.cpp
%s, %s, %s, %s(%ld)
..\Source\ccModule.cpp
..\Source\ccSystemInfo.cpp
..\Source\ccRegistry.cpp
..\Source\ccStringConvert.cpp
CSIDL_WINDOWS
SOFTWARE\Microsoft\Windows\CurrentVersion
..\Source\ccPathExpansion.cpp
\\?\UNC
..\Source\ccSplitPath.cpp
..\Source\ccOSInfo.cpp
\wpeutil.dll
\FACTORY.exe
\wpeinit.exe
..\Source\ccMemory.cpp
..\Source\ccFile.cpp
..\Source\ccWow64FsRedirection.cpp
%s\%s
CIsolation::GetRegistryHive(): RegOpenKeyEx() returned ERROR_FILE_NOT_FOUND
CIsolation::GetRegistryHive(): RegOpenKeyEx() returned ERROR_ACCESS_DENIED
isolate.ini
%COMMON_SILO_DATA%
..\Source\ccEncryptedString.cpp
..\Source\ccSynchronize.cpp
..\Source\ccSymDllLifetimeMgr.cpp
kernel32.dll
KERNEL32.DLL
PSAPI.DLL
..\Source\ccPEBReader.cpp
..\Source\ccPrivilege.cpp
..\Source\ccSymIndexValueCollectionImpl.cpp
AWTSAPI32.DLL
..\Source\ccSymDllLifetimeMgrLocal.cpp
..\Source\ccSymIndexValueCollection.cpp
..\Source\ccSymValueCollection.cpp
ÌROOT%
rcPFRes.dll
rcPxyEvt.dll
rcProxy.dll
rcSvcHst.dll
rcEmlPxy.dll
rcLgView.dll
rcErrDsp.dll
rcAlert.dll
rcApp.dll
ccEmlPxy.dll
ccGLog.dll
ccJobMgr.dll
ccGEvt.dll
ccIPC.dll
ccRkSn.dll
PFPriv.dll
ccPxyIns.dll
ccPxyEvt.dll
ccInst64.dll
ccEvtCli.dll
ccTrstPc.dll
ccSvc.dll
ccEraser.dll
OEHeur.dll
ccCharCv.dll
ccInst.dll
DefUtDCD.dll
ccScanw.dll
ccScan.dll
dec_abi.dll
ccDec.dll
ccALEng.dll
ccErrDsp.dll
ccProSub.dll
ccVrTrst.dll
ccSetEvt.dll
ccSet.dll
ccAlert.dll
..\Source\ccArchive.cpp
..\Source\ccDummyArchive.cpp
..\Source\ccInstanceFactory.cpp
..\Source\ccSymValueCollectionConvert.cpp
..\Source\ccSymStreamArchive.cpp
Software\Microsoft\Windows\CurrentVersion\explorer\Shell Folders
Software\Microsoft\Windows\CurrentVersion
ÌROOT%\
ÌDATA%\
..\Source\ccSymInstalledApps.cpp
..\Source\ccSymDigest.cpp
..\Source\ccSymKeyValueCollectionImpl.cpp
..\Source\ccSymMemoryImpl.cpp
Archive.Write(CMemoryImpl::CSerializeImpl::Version) == FALSE
Archive.Read(nVersion) == FALSE
..\Source\ccSymStringImpl.cpp
Archive.Write(CStringImpl::Version) == FALSE
..\Source\ccSymInstanceFactoryImpl.cpp
t..\Source\ccMessageLock.cpp
..\Source\ccSymKeyValueCollection.cpp
..\Source\ccSymPersist.cpp
ÌROOT%\ccSet.dll
..\Source\ccSymObjectRepository.cpp
CommonClient\OBJID\%s
..\Source\ccMemoryArchive.cpp
..\Source\ccSymMemoryStreamImpl.cpp
mscoree.dll
- Attempt to initialize the CRT more than once.
- CRT not initialized
- floating point support not loaded
WUSER32.DLL
FileDownloader::callURLOpenStream
CHttpRequest::CHttpRequest
CHttpRequest::~CHttpRequest
CHttpRequest::RequestPage
CHttpRequest::ParseURLW
https
[s d, d - d:d:d:d]
%s %ld
%s %s
%s 0x%x
hXXp://cps.qalabs.symantec.com/teams/isp/symccis
hXXp://liveupdate.symantecliveupdate.com/upgrade/NSS/SymCCIS/Staging
hXXp://liveupdate.symantecliveupdate.com/upgrade/NSS/SymCCIS/Production
SymCCIS.dll
SCC.dll
OfferUI.dll
SymInstallStub.exe
SymCCISDll.txt
Total CheckCriteria execution time in seconds =
NortonOfferEngineImpl::CheckCriteria_Web
downloadStubInstallerExe() failed, HR =
Failed to delete downloaded SCC.dll, GetLastError =
Failed to delete existing SCC.dll, GetLastError =
NortonOfferEngineImpl::downloadStubInstallerExe
Failed to delete existing SymInstallStub.exe, GetLastError =
NortonOfferEngineImpl::buildComponentDownloadURL
NortonOfferEngineImpl::getTestEnvironmentRootURL
NortonOfferEngineImpl::getISExeDestPath
getISExeDestPath() returned =
NortonOfferEngineImpl::sendPingForCheckCriteriaWeb
NortonOfferEngineImpl::getCheckCriteriaPingDataWeb
NortonOfferEngineImpl::getStubInstallerCmdLine
getStubInstallerCmdLine() returned =
NortonOfferEngineImpl::deleteDeclineCountRegKeyForThisProduct
NortonOfferEngineImpl::deleteDeclineCountParentKeyIfNoMoreProductsExist
Deleting DeclineCount subkey for partner =
Failed to create/open DECLINE_COUNT_REG_KEY
Advapi32.dll
hXXp://stats.norton.com/n/p?
PingData::SendCheckCriteriaWebPing
PingData::createBaseURL
PingData::getCheckCriteriaPingURL
PingData::getCheckCriteriaWebPingURL
PingData::getInstallProductsPingURL
PingData::getOfferAcceptancePingURL
pingURL =
X.X
%u.%u.%u.%u.%u
Utility::LaunchProcessWithShellExecute
ShellExecuteEx failed, GetLastError =
---8#-8-@

%original file name%.exe_348_rwx_10084000_00002000:

<requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel>
NRTN_OfferEngine_CheckCriteria_Web
kernel32.dll
urlmon.dll
URLOpenStreamW
WININET.dll
USER32.dll
MsgWaitForMultipleObjectsEx
ADVAPI32.dll
SHELL32.dll
ole32.dll
SHLWAPI.dll
USERENV.dll
OLEAUT32.dll
2.1.0.20


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):No processes have been created.
  2. Delete the original PUP file.
  3. Delete or disinfect the following files created/modified by the PUP:

    %Documents and Settings%\%current user%\Local Settings\Temp\zx_161aa2bb0\dialogs\library\js\yahoo.js (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\zx_161aa2bb0\ECBFC9AB-A637-4487-9A66-817881951C55.zip (904 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\zx_161aa2bb0\E92D7B47-33AD-4469-81D4-CB551DE8DDA8.zip (889 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\zx_161aa2bb0\1D677809-65E4-4CBA-B3B2-1705755F5F07.zip (434 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\zx_161aa2bb0\session.response.json (676 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\zx_161aa2bb0\BF68CAAA-24EB-4A90-94B1-A68D8718116D.zip (731 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\zx_161aa2bb0\D21384DD-7E7F-4D84-9C43-6D82036FA24F.zip (9352 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\zx_161aa2bb0\dialogs\library\images\container-separator.png (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\zx_161aa2bb0\226383C9-5E0D-4ABD-8308-30F31DD040A6.zip (666 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\zx_161aa2bb0\dialogs\fulldiskfighter.vi.json (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\zx_161aa2bb0\4594AF2F-4D07-4B39-B15B-443A87882878.zip (732 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\zx_161aa2bb0\C4B20519-3B35-4A1C-BB5C-695D80D9C28D.zip (926 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\zx_161aa2bb0\dialogs\library\images\checkbox.png (650 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\zx_161aa2bb0\5C22ACAC-4D3A-4D89-9980-81FBB493E7B8.zip (888 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\zx_161aa2bb0\dialogs\library\js\screenmanager.js (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\zx_161aa2bb0\E9E56BE3-7EC7-450B-9C2E-BA9B0BCD6B05.zip (817 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\zx_161aa2bb0\dialogs\pcoptimizerpro_offer.vi.json (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\zx_161aa2bb0\099AEF6E-E690-4A5C-85F8-481343649504.zip (809 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\zx_161aa2bb0\dialogs\library\js\testsuitemanager.js (392 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\zx_161aa2bb0\dialogs\library\js\noyahoo.js (323 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\zx_161aa2bb0\dialogs\library\js\knockout-2.2.1.js (2696 bytes)
    %System%\wbem\Logs\wbemprox.log (225 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\zx_161aa2bb0\dialogs\library\js\lodash.custom.min.js (1928 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\zx_161aa2bb0\66DFABC3-9023-45A3-A5DE-FA8CAAEF0AAC.zip (856 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\zx_161aa2bb0\AF33782B-57D0-466B-831D-0CE47455F809.zip (892 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\zx_161aa2bb0\2704D408-C40A-4848-BC30-B5478423E8C9.zip (821 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\zx_161aa2bb0\dialogs\library\js\script.js (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\zx_161aa2bb0\dialogs\library\images\btn.png (392 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\zx_161aa2bb0\dialogs\library\images\filewhiz_tn.png (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\zx_161aa2bb0\dialogs\library\images\btn-win-cancel.png (776 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\zx_161aa2bb0\dialogs\petite_oo_v5.vi.json (74 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\zx_161aa2bb0\dialogs\library\images\bg_disc_wrap.gif (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\zx_161aa2bb0\B2B00637-BC0D-48D8-B686-9F13DA5E04A1.zip (822 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4RSNKIEU\ENG.SCC.config[1].txt (740 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\zx_161aa2bb0\dialogs\library\images\step-contents-stepped.png (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\zx_161aa2bb0\80A3CCD4-64BC-4AF8-853B-ABA075AE5218.zip (866 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\zx_161aa2bb0\dialogs\library\images\step-contents.png (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\zx_161aa2bb0\F80287B7-718C-4676-AC71-3F1AB04A60E1.zip (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\zx_161aa2bb0\dialogs\smartdriverupdater.vi.json (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\zx_161aa2bb0\B88FF7FD-BE0E-44BC-97BC-D6943F9F8A86.zip (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\zx_161aa2bb0\2E076E93-E171-4F73-A0D5-5BFDDE0E4783.zip (792 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\zx_161aa2bb0\dialogs\library\js\kmsxSuite.js (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\zx_161aa2bb0\f8fb0fcda4216e9055982f114b21db37.log (1052387 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\zx_161aa2bb0\theanswerfinder.vi.zip (838 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\SymCCIS2.zip (162 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\zx_161aa2bb0\dialogs\library\images\bg-installprogress.png (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\zx_161aa2bb0\4FFA1EE1-2AD7-40C8-9643-B801D9DED1A0.zip (804 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\zx_161aa2bb0\B7F6A91D-8542-4B59-A285-EF08E6922F28.zip (883 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\zx_161aa2bb0\3927F92B-2CF0-4555-8A62-C42865E873C2.zip (936 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\zx_161aa2bb0\AD04DC3C-8B12-4879-83E3-523DF600D9DE.zip (968 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\zx_161aa2bb0\dialogs\library\images\installprogress.png (998 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\zx_161aa2bb0\dialogs\mediaplayervb.vi.json (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\zx_161aa2bb0\404D0823-2D00-44F7-AC98-92F79F87E4F2.zip (778 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\SCC.dll (168 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\zx_161aa2bb0\224505F1-4910-4879-A9AD-B70D1AE1A120.zip (904 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\zx_161aa2bb0\42FDD0AA-EAD7-45DD-8421-47492FCFF9DB.zip (941 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\zx_161aa2bb0\dialogs\petite_oo_v5.vi.html (776 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\zx_161aa2bb0\dialogs\driverscanner.vi.json (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\zx_161aa2bb0\dialogs\view.petite_oo_v5.vi.json (9 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\zx_161aa2bb0\7E447291-0A05-4EB1-98E9-49ECF3C139D1.zip (834 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\zx_161aa2bb0\dialogs\library\images\minmax.png (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\zx_161aa2bb0\dialogs\driverfighter.vi.json (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\zx_161aa2bb0\mediaplayer_12478.txt (7 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\zx_161aa2bb0\8C58D003-E863-4399-A7CF-A32275393FD1.zip (412 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\zx_161aa2bb0\dialogs\library\js\offerparser.js (392 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\zx_161aa2bb0\dialogs\library\js\config.js (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\zx_161aa2bb0\BB13E620-1EBA-47D8-A623-39986DE12F1F.zip (790 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\zx_161aa2bb0\dialogs\library\css\style.css (392 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\zx_161aa2bb0\dialogs\spyhunter.vi.json (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\zx_161aa2bb0\F5C1E3BE-C571-4295-82AB-9C78A7DFD0BA.zip (823 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\zx_161aa2bb0\55997C50-1F00-4D74-BAEF-46A658272B17.zip (971 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\zx_161aa2bb0\B7109C6A-73CA-4979-B038-5AE45CBE649F.zip (811 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\zx_161aa2bb0\dialogs\library\images\custom-check.png (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\zx_161aa2bb0\9332870F-9082-4684-AFF2-8C852FCEE8D7.zip (747 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\zx_161aa2bb0\dialogs\kaspersky.vi.json (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\zx_161aa2bb0\441493C8-0E32-4504-B8CC-7851FFF110EC.zip (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\zx_161aa2bb0\dialogs\library\js\common.js (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\zx_161aa2bb0\dialogs\library\js\saferbrowser.js (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\zx_161aa2bb0\dialogs\mediaplayervb\tn_videobuzz.png (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\zx_161aa2bb0\7BAB633E-6C2D-45CC-BFE3-A79142FDABBF.zip (507 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\zx_161aa2bb0\F3DA0320-7EB0-4648-BE62-3B08958C9B3E.zip (920 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\zx_161aa2bb0\dialogs\nortonsecurityscan.vi.json (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\zx_161aa2bb0\dialogs\library\js\clickmanager.js (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\AXJ7IPU1\SCC[1].dll (22789 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\zx_161aa2bb0\dialogs\winferno.vi.json (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\zx_161aa2bb0\7D03F38F-AF42-4EAB-837C-E8B4B2D9B644.zip (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\zx_161aa2bb0\1E00B2CE-84B4-4764-A567-81130045EEE4.zip (739 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\zx_161aa2bb0\0393A455-8396-4E79-8339-7DAEDC83567B.zip (801 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\zx_161aa2bb0\dialogs\library\js\jquery.min.js (6984 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\zx_161aa2bb0\00EB7EC2-4B2C-4603-9043-79A1C36414EE.zip (422 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\zx_161aa2bb0\stub.xml (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\zx_161aa2bb0\dialogs\library\js\json2.js (776 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\zx_161aa2bb0\73EB1E3A-0BE4-4F19-8F38-6B2B93DB1927.zip (939 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\zx_161aa2bb0\DF86C614-36F8-4BE3-A1A0-78E774802EE7.zip (928 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\zx_161aa2bb0\dialogs\library\images\close.png (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\zx_161aa2bb0\dialogs\library\js\screenconfig.js (240 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\zx_161aa2bb0\dialogs\library\js\screenfactory.js (8 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\zx_161aa2bb0\225E5BB2-B83F-478E-B774-62F53C2BCAD7.zip (858 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\zx_161aa2bb0\13D66679-5DC0-48AA-BB42-E7BD34CEBAE2.zip (889 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\zx_161aa2bb0\dialogs\library\images\title-bar.png (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\zx_161aa2bb0\dialogs\library\js\screen.js (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\zx_161aa2bb0\dialogs\library\images\product-icon.png (5 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\zx_161aa2bb0\AFB3988D-640F-43BB-8422-D40ED6AA32BE.zip (820 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\zx_161aa2bb0\dialogs\pcmechanic.vi.json (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\SymCCIS.dll (11704 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\SCC.config (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\zx_161aa2bb0\dialogs\library\images\btn-win.png (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\zx_161aa2bb0\dialogs\library\js\utils.js (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\zx_161aa2bb0\dialogs\library\js\.DS_Store (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\zx_161aa2bb0\8BF6320F-C08A-446A-80A8-FBCCDBA35CB7.zip (804 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\SCCLog.txt (169952 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\zx_161aa2bb0\config.xml (17904 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\SymCCISDll.txt (41444 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\zx_161aa2bb0\dialogs\library\js\responsemanager.js (392 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\zx_161aa2bb0\F3823C96-34C1-478F-BA9E-3F84F3D6094F.zip (787 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\zx_161aa2bb0\dialogs\slowpcfighter.vi.json (1 bytes)

  4. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  5. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2026 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now